Strix
26.1K

CVE-2021-33683

MEDIUMCVSS 4.3/10EPSS 0.55%

Last modified

CVE-2021-33683 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. SAP Web Dispatcher and Internet Communication Manager (ICM), versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. EPSS estimates a 0.55% chance of exploitation in the next 30 days.

Description

SAP Web Dispatcher and Internet Communication Manager (ICM), versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc.

Metrics

CVSS 3.1
4.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS Probability
0.55%

41.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SapWeb Dispatcher7.8_kernel_7.21
SapWeb Dispatcher7.21ext
SapWeb Dispatcher7.22
SapWeb Dispatcher7.22ext
SapWeb Dispatcher7.49
SapWeb Dispatcher7.53
SapWeb Dispatcher7.73
SapWeb Dispatcher7.77
SapWeb Dispatcher7.81
SapWeb Dispatcher7.82
SapWeb Dispatcherkrnl32nuc_7.21
SapWeb Dispatcherkrnl32uc_7.21
SapWeb Dispatcherkrnl64nuc_7.21
SapWeb Dispatcherkrnl64uc_7.21
SapWeb Dispatcherwebdisp_7.53
SapInternet Communication Manager7.21ext
SapInternet Communication Manager7.22
SapInternet Communication Manager7.22ext
SapInternet Communication Manager7.49
SapInternet Communication Manager7.53
SapInternet Communication Manager7.73
SapInternet Communication Manager7.77
SapInternet Communication Manager7.81
SapInternet Communication Manager7.82
SapInternet Communication Managerkernel_7.21
SapInternet Communication Managerkrnl32nuc_7.21
SapInternet Communication Managerkrnl32uc_7.21
SapInternet Communication Managerkrnl64nuc_7.21
SapInternet Communication Managerkrnl64uc_7.21
SapInternet Communication Managerwebdisp_7.53

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-33683?
SAP Web Dispatcher and Internet Communication Manager (ICM), versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc.
How severe is CVE-2021-33683?
CVE-2021-33683 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 0.55% probability of exploitation in the next 30 days.
How do I fix CVE-2021-33683?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-33683?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST