CVE-2021-33683

MEDIUM

SAP - DoS

Title source: llm

Description

SAP Web Dispatcher and Internet Communication Manager (ICM), versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc.

References (2)

[Vendor Advisory] https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506

[Permissions Required] https://launchpad.support.sap.com/#/notes/3000663

Scores

CVSS v3 4.3

EPSS 0.0016

EPSS Percentile 36.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-444

Status published

Products (30)

sap/internet_communication_manager 7.21ext

sap/internet_communication_manager 7.22

sap/internet_communication_manager 7.22ext

sap/internet_communication_manager 7.49

sap/internet_communication_manager 7.53

sap/internet_communication_manager 7.73

sap/internet_communication_manager 7.77

sap/internet_communication_manager 7.81

sap/internet_communication_manager 7.82

sap/internet_communication_manager kernel_7.21

... and 20 more

Published Jul 14, 2021

Tracked Since Feb 18, 2026