DIVD-2022-00010 - Auth bypass in SAP

Our reference DIVD-2022-00010
Case lead Patrick Hulshof
Researcher(s)
CVE(s)
Product SAP
Versions SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher.
Recommendation Patches are available now from the vendor.
Status Closed
Last modified 03 Nov 2022 12:37 CET

Summary

On Tuesday, February 8, 2022, SAP published a notice detailing a major request smuggling flaw within their SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher products, which SAP claims could lead to authentication bypass. This vulnerability is tracked as CVE-2022-22537

What you can do

What we are doing

Timeline

Date Description
08 Feb 2022 SAP reported about the vulnerability.
08 Feb 2022 DIVD starts OSINT research.
09 Feb 2022 DIVD starts scanning the internet for open SAP instances.
10 Feb 2022 DIVD starts with identifying owners.
10 Feb 2022 DIVD send out a first batch of notifications.
11 Feb 2022 DIVD start a second scan
13 Feb 2022 DIVD send out a second batch of notifications.
10 Apr 2022 Closing this case after monitoring patch progression.
gantt title DIVD-2022-00010 - Auth bypass in SAP dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00010 - Auth bypass in SAP (61 days) :2022-02-08, 2022-04-10 section Events SAP reported about the vulnerability. : milestone, 2022-02-08, 0d DIVD starts OSINT research. : milestone, 2022-02-08, 0d DIVD starts scanning the internet for open SAP instances. : milestone, 2022-02-09, 0d DIVD starts with identifying owners. : milestone, 2022-02-10, 0d DIVD send out a first batch of notifications. : milestone, 2022-02-10, 0d DIVD start a second scan : milestone, 2022-02-11, 0d DIVD send out a second batch of notifications. : milestone, 2022-02-13, 0d Closing this case after monitoring patch progression. : milestone, 2022-04-10, 0d

More information