Request smuggling and request concatenation in SAP Web Dispatcher
CVE-2023-33987

8.6HIGH

Key Information:

Vendor: SAP
Status: SAP Web Dispatcher
Vendor: CVE Published:; 11 July 2023

Summary

This vulnerability in SAP Web Dispatcher and KERNEL allows an unauthenticated attacker to exploit improper input validation. By submitting a specially crafted request to the front-end server, the attacker can manipulate how the back-end server interprets messages, potentially blurring the lines between legitimate and malicious traffic. This could lead to unauthorized actions, such as reading or modifying sensitive information or even causing temporary unavailability of the server. Organizations using these SAP products should apply the latest patches to mitigate the risk associated with this vulnerability.

Affected Version(s)

SAP Web Dispatcher WEBDISP 7.49

SAP Web Dispatcher WEBDISP 7.53

SAP Web Dispatcher WEBDISP 7.54

References

https://me.sap.com/notes/3233899

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 11, 2023
Vulnerability Reserved
May 24, 2023