Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2022-22536

Disclosure Date: February 09, 2022 •

CVE-2022-22536 CVSS v3 Base Score: 10.0

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

10.0 Critical

Impact Score:

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

Products

content server 7.53,
netweaver application server abap 7.22,
netweaver application server abap 7.49,
netweaver application server abap 7.53,
netweaver application server abap 7.77,
netweaver application server abap 7.81,
netweaver application server abap 7.85,
netweaver application server abap 7.86,
netweaver application server abap 7.87,
netweaver application server abap 8.04,
netweaver application server abap krnl64nuc 7.22,
netweaver application server abap krnl64nuc 7.22ext,
netweaver application server abap krnl64nuc 7.49,
netweaver application server abap krnl64uc 7.22,
netweaver application server abap krnl64uc 7.22ext,
netweaver application server abap krnl64uc 7.49,
netweaver application server abap krnl64uc 7.53,
netweaver application server abap krnl64uc 8.04,
web dispatcher 7.22ext,
web dispatcher 7.49,
web dispatcher 7.53,
web dispatcher 7.77,
web dispatcher 7.81,
web dispatcher 7.85,
web dispatcher 7.86,
web dispatcher 7.87

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
News Article or Blog (https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/)

Reported: August 23, 2022 3:57am UTC (1 year ago) • Edited 1 year ago

References

Canonical

CVE-2022-22536 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22536)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

CVE-2022-22536 (https://github.com/antx-code/CVE-2022-22536)

Miscellaneous

https://launchpad.support.sap.com/#/notes/3123396

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Rapid7

Unknown

CVE-2022-22536

Unknown

Unknown

None

None

Network

CVE-2022-22536

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2022-22536

Unknown

Unknown

None

None

Network

CVE-2022-22536

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification