ID

VAR-202202-1358


CVE

CVE-2022-22536


TITLE

SAP Multiple Product Environment Issues Vulnerabilities

Trust: 0.6

sources: CNNVD: CNNVD-202202-563

DESCRIPTION

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system

Trust: 0.99

sources: NVD: CVE-2022-22536 // VULMON: CVE-2022-22536

AFFECTED PRODUCTS

vendor:sapmodel:web dispatcherscope:eqversion:7.87

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_8.04

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.49

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.85

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.49

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.77

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.85

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64nuc_7.22ext

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:8.04

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.77

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_7.49

Trust: 1.0

vendor:sapmodel:content serverscope:eqversion:7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.87

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.86

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.81

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.86

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.22

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.81

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_7.22

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_7.22ext

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64nuc_7.22

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64nuc_7.49

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.22ext

Trust: 1.0

sources: NVD: CVE-2022-22536

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-22536
value: CRITICAL

Trust: 1.0

CNNVD: CNNVD-202202-563
value: CRITICAL

Trust: 0.6

VULMON: CVE-2022-22536
value: HIGH

Trust: 0.1

NVD: CVE-2022-22536
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.1

NVD: CVE-2022-22536
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.1

Trust: 1.0

sources: VULMON: CVE-2022-22536 // CNNVD: CNNVD-202202-563 // NVD: CVE-2022-22536

PROBLEMTYPE DATA

problemtype:CWE-444

Trust: 1.0

sources: NVD: CVE-2022-22536

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-563

TYPE

environmental issue

Trust: 0.6

sources: CNNVD: CNNVD-202202-563

CONFIGURATIONS

sources: NVD: CVE-2022-22536

PATCH

title:SAP Remediation measures for multiple product environment issues and vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=181724

Trust: 0.6

title:onapsis_icmad_scannerurl:https://github.com/onapsis/onapsis_icmad_scanner

Trust: 0.1

title:CVE-2022-22536url:https://github.com/antx-code/cve-2022-22536

Trust: 0.1

title:SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-22536url:https://github.com/asurti6783/sap-memory-pipes-desynchronization-vulnerability-mpi-cve-2022-22536

Trust: 0.1

title: - url:https://github.com/pondoksiber/sap-pentest-cheatsheet

Trust: 0.1

title:Threatposturl:https://threatpost.com/sap-patches-severe-icmad-bugs/178344/

Trust: 0.1

title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-maximum-severity-sap-vulnerability/

Trust: 0.1

title:The Registerurl:https://www.theregister.co.uk/2022/02/09/microsoft_patch_tuesday/

Trust: 0.1

sources: VULMON: CVE-2022-22536 // CNNVD: CNNVD-202202-563

EXTERNAL IDS

db:NVDid:CVE-2022-22536

Trust: 1.7

db:CNNVDid:CNNVD-202202-563

Trust: 0.6

db:VULMONid:CVE-2022-22536

Trust: 0.1

sources: VULMON: CVE-2022-22536 // CNNVD: CNNVD-202202-563 // NVD: CVE-2022-22536

REFERENCES

url:https://launchpad.support.sap.com/#/notes/3123396

Trust: 1.7

url:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Trust: 1.6

url:https://wiki.scn.sap.com/wiki/display/psr/sap+security+patch+day+-+february+2022

Trust: 0.7

url:https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-de-decembre-2021-37478

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/444.html

Trust: 0.1

url:https://github.com/onapsis/onapsis_icmad_scanner

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/sap-patches-severe-icmad-bugs/178344/

Trust: 0.1

sources: VULMON: CVE-2022-22536 // CNNVD: CNNVD-202202-563 // NVD: CVE-2022-22536

SOURCES

db:VULMONid:CVE-2022-22536
db:CNNVDid:CNNVD-202202-563
db:NVDid:CVE-2022-22536

LAST UPDATE DATE

2022-08-25T22:23:42.381000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2022-22536date:2022-02-11T00:00:00
db:CNNVDid:CNNVD-202202-563date:2022-08-25T00:00:00
db:NVDid:CVE-2022-22536date:2022-08-24T16:15:00

SOURCES RELEASE DATE

db:VULMONid:CVE-2022-22536date:2022-02-09T00:00:00
db:CNNVDid:CNNVD-202202-563date:2022-02-08T00:00:00
db:NVDid:CVE-2022-22536date:2022-02-09T23:15:00