CVE-2021-33683

SAP Web Dispatcher and Internet Communication Manager (ICM), versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
sapCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
sapweb_dispatcher
7.8_kernel_7.21:_kernel_7.21
sapweb_dispatcher
7.21ext:ext
sapweb_dispatcher
7.22
sapweb_dispatcher
7.22ext:ext
sapweb_dispatcher
7.49
sapweb_dispatcher
7.53
sapweb_dispatcher
7.73
sapweb_dispatcher
7.77
sapweb_dispatcher
7.81
sapweb_dispatcher
7.82
sapinternet_communication_manager
7.21ext:ext
sapinternet_communication_manager
7.22
sapinternet_communication_manager
7.22ext:ext
sapinternet_communication_manager
7.49
sapinternet_communication_manager
7.53
sapinternet_communication_manager
7.73
sapinternet_communication_manager
7.77
sapinternet_communication_manager
7.81
sapinternet_communication_manager
7.82
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://launchpad.support.sap.com/#/notes/3000663
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506
https://launchpad.support.sap.com/#/notes/3000663
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506