CVE-2021-38162
8.9 HIGHSAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22...
Published: 2021-09-14 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.9 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
- CWE
- CWE-444
Affected products
| Vendor | Product |
|---|---|
| sap | web_dispatcher |
Description
SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify any information on the server or consume server resources making it temporarily unavailable.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-38162
- [Exploit reference]http://packetstormsecurity.com/files/166964/SAP-Web-Dispatcher-HTTP-Request-Smuggling.html
- [Exploit reference]http://seclists.org/fulldisclosure/2022/May/3
- [Other]https://launchpad.support.sap.com/#/notes/3080567
- [Vendor advisory]https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
- [Exploit reference]http://packetstormsecurity.com/files/166964/SAP-Web-Dispatcher-HTTP-Request-Smuggling.html
- [Exploit reference]http://seclists.org/fulldisclosure/2022/May/3
- [Other]https://launchpad.support.sap.com/#/notes/3080567
- [Vendor advisory]https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
Related CVEs
Same vendor
- CVE-2026-27680 — Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascad... (3.1 LOW)
- CVE-2026-40135 — An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authentica... (6.5 MEDIUM)
- CVE-2026-27682 — Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Serv... (4.7 MEDIUM)
- CVE-2026-34257 — Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL tha... (6.1 MEDIUM)
- CVE-2026-27674 — Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could suppl... (6.1 MEDIUM)
Same CWE
- CVE-2026-50020 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
- CVE-2026-46342 — Nuxt is an open-source web development framework for Vue.js (5.4 MEDIUM)
- CVE-2026-6338 — A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series
- CVE-2026-41853 — Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks (5.3 MEDIUM)
- CVE-2026-44546 — daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)