Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-33683

SAP Web Dispatcher and Internet Communication Manager (ICM), versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc.

Published

2021-07-14T12:15:09.237

Last Modified

2024-11-21T06:09:21.507

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-444
Type: Primary
CWE-444

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sap	web_dispatcher	7.8_kernel_7.21	Yes
Application	sap	web_dispatcher	7.21ext	Yes
Application	sap	web_dispatcher	7.22	Yes
Application	sap	web_dispatcher	7.22ext	Yes
Application	sap	web_dispatcher	7.49	Yes
Application	sap	web_dispatcher	7.53	Yes
Application	sap	web_dispatcher	7.73	Yes
Application	sap	web_dispatcher	7.77	Yes
Application	sap	web_dispatcher	7.81	Yes
Application	sap	web_dispatcher	7.82	Yes
Application	sap	web_dispatcher	krnl32nuc_7.21	Yes
Application	sap	web_dispatcher	krnl32uc_7.21	Yes
Application	sap	web_dispatcher	krnl64nuc_7.21	Yes
Application	sap	web_dispatcher	krnl64uc_7.21	Yes
Application	sap	web_dispatcher	webdisp_7.53	Yes
Application	sap	internet_communication_manager	7.21ext	Yes
Application	sap	internet_communication_manager	7.22	Yes
Application	sap	internet_communication_manager	7.22ext	Yes
Application	sap	internet_communication_manager	7.49	Yes
Application	sap	internet_communication_manager	7.53	Yes
Application	sap	internet_communication_manager	7.73	Yes
Application	sap	internet_communication_manager	7.77	Yes
Application	sap	internet_communication_manager	7.81	Yes
Application	sap	internet_communication_manager	7.82	Yes
Application	sap	internet_communication_manager	kernel_7.21	Yes
Application	sap	internet_communication_manager	krnl32nuc_7.21	Yes
Application	sap	internet_communication_manager	krnl32uc_7.21	Yes
Application	sap	internet_communication_manager	krnl64nuc_7.21	Yes
Application	sap	internet_communication_manager	krnl64uc_7.21	Yes
Application	sap	internet_communication_manager	webdisp_7.53	Yes

References

https://launchpad.support.sap.com/#/notes/3000663 Permissions Required ([email protected])
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 Vendor Advisory ([email protected])
https://launchpad.support.sap.com/#/notes/3000663 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)