CISA Known Exploited Vulnerability

CVE-2022-22536

SAP · Multiple Products

SAP Multiple Products HTTP Request Smuggling Vulnerability

Date added 2022-08-18

BOD 22-01 due date 2022-09-08

CWE CWE-444

Ransomware Unknown

CISA description

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.

Required action

Apply updates per vendor instructions.

Notes & references

SAP users must have an account in order to login and access the patch. https://accounts.sap.com/saml2/idp/sso
https://nvd.nist.gov/vuln/detail/CVE-2022-22536

Where this lands in 800-53

Vulnerability data triggers these controls during assessment and continuous monitoring.

RA-5 · Vulnerability Monitoring and Scanning
SI-2 · Flaw Remediation
CM-6 · Configuration Settings
SI-7 · Software, Firmware, and Information Integrity
CM-8 · System Component Inventory

External lookups

NVD · CVE-2022-22536
CVE.org · CVE-2022-22536
CISA KEV catalog (canonical)