HTTP Request Smuggling Vulnerability in SAP Web Dispatcher and Internet Communication Manager
CVE-2021-33683

5.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Web Dispatcher And Internet Communication Manager
Vendor: CVE Published:; 14 July 2021

Summary

The vulnerability arises from the improper handling of invalid HTTP headers, specifically the Transfer-Encoding field, in the SAP Web Dispatcher and Internet Communication Manager. This flaw can be exploited by an attacker to perform an HTTP request smuggling attack, which allows for the evasion of web application firewall protections. Consequently, sensitive information, including customer requests and session credentials, could be compromised. It is critical for organizations using these products to implement necessary security measures to mitigate this risk.

Affected Version(s)

SAP Web Dispatcher and Internet Communication Manager < KRNL32NUC 7.21 < KRNL32NUC 7.21

SAP Web Dispatcher and Internet Communication Manager < 7.21EXT < 7.21EXT

SAP Web Dispatcher and Internet Communication Manager < 7.22 < 7.22

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/3000663

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 14, 2021
Vulnerability Reserved
May 28, 2021