A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed.
References
Link | Resource |
---|---|
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167 | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html |
Configurations
Configuration 1 (hide)
|
History
30 Jan 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 May 2021, 12:32
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:trustwave:owasp_modsecurity_core_rule_set:3.1.0:rc1:*:*:*:*:*:* cpe:2.3:a:trustwave:owasp_modsecurity_core_rule_set:3.1.0:rc3:*:*:*:*:*:* |
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:3.1.0:rc1:*:*:*:*:*:* cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:* cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:3.1.0:rc3:*:*:*:*:*:* |
Information
Published : 2018-09-03 02:29
Updated : 2023-12-10 12:44
NVD link : CVE-2018-16384
Mitre link : CVE-2018-16384
CVE.ORG link : CVE-2018-16384
JSON object : View
Products Affected
owasp
- owasp_modsecurity_core_rule_set
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')