CVE-2023-33987— Request smuggling and request concatenation in SAP Web Dispatcher
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-33987
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Request smuggling and request concatenation in SAP Web Dispatcher
Source: NVD (National Vulnerability Database)
Vulnerability Description
An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify information on the server or make it temporarily unavailable.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP Web Dispatcher 环境问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP Web Dispatcher是德国思爱普(SAP)公司的Load Balancing 的核心组件,支持负载均衡,提供反向代理的功能,使得外网用户可以访问到内部应用。 SAP Web Dispatcher 存在环境问题漏洞,该漏洞源于可以通过网络向前端服务器提交恶意制作的请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP_SE | SAP Web Dispatcher | WEBDISP 7.49 | - |
II. Public POCs for CVE-2023-33987
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-33987
请登录查看更多情报信息。
Same Patch Batch · SAP_SE · 2023-07-11 · 18 CVEs total
| CVE-2023-36922 | 9.1 CRITICAL | OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) |
| CVE-2023-33989 | 8.7 HIGH | Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) |
| CVE-2023-33990 | 7.8 HIGH | Denial of Service (DoS) vulnerability in SAP SQL Anywhere |
| CVE-2023-35871 | 7.7 HIGH | Memory Corruption vulnerability in SAP Web Dispatcher |
| CVE-2023-36925 | 7.2 HIGH | Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) |
| CVE-2023-36921 | 7.2 HIGH | Header Injection in SAP Solution Manager (Diagnostic Agent) |
| CVE-2023-35873 | 6.5 MEDIUM | Missing Authentication check in SAP NetWeaver Process Integration (Runtime Workbench) |
| CVE-2023-35872 | 6.5 MEDIUM | Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool) |
| CVE-2023-35870 | 6.3 MEDIUM | Improper Access Control in SAP S/4HANA (Manage Journal Entry Template) |
| CVE-2023-33988 | 6.1 MEDIUM | Cross-Site Scripting vulnerability in SAP Enable Now |
| CVE-2023-36918 | 6.1 MEDIUM | Cross-Site Scripting vulnerability in SAP Enable Now |
| CVE-2023-35874 | 6.0 MEDIUM | Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform |
| CVE-2023-36917 | 5.9 MEDIUM | Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform |
| CVE-2023-31405 | 5.3 MEDIUM | Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) |
| CVE-2023-36919 | 5.3 MEDIUM | Information Disclosure in SAP Enable Now |
| CVE-2023-36924 | 4.9 MEDIUM | Log Injection vulnerability in SAP ERP Defense Forces and Public Security |
| CVE-2023-33992 | 4.5 MEDIUM | Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA |
IV. Related Vulnerabilities
Same vendor: SAP_SE
- CVE-2026-34264
Information Disclosure vulnerability in SAP Human Capital Ma - CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and - CVE-2026-34261
Missing Authorization check in SAP Business Analytics and SA - CVE-2026-34257
Open Redirect vulnerability in SAP NetWeaver Application Ser - CVE-2026-34256
Missing Authorization check in SAP ERP and SAP S/4 HANA (Pri
Same weakness: CWE-444
- CVE-2026-40562
Gazelle versions through 0.49 for Perl allows HTTP Request S - CVE-2026-40561
Starlet versions through 0.31 for Perl allows HTTP Request S - CVE-2026-39805
CL.CL HTTP request smuggling via duplicate Content-Length in - CVE-2026-40560
Starman versions before 0.4018 for Perl allows HTTP Request - CVE-2026-41873
Pony Mail: Admin account takeover via request smuggling
V. Comments for CVE-2023-33987
No comments yet