Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
References
Link | Resource |
---|---|
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727 | Exploit Issue Tracking Third Party Advisory |
https://github.com/coreruleset/coreruleset/pull/1793 | Exploit Issue Tracking Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html | Mailing List Third Party Advisory |
Configurations
History
16 Feb 2023, 19:30
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
First Time |
Debian
Debian debian Linux |
30 Jan 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Sep 2022, 03:25
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Owasp owasp Modsecurity Core Rule Set
Owasp |
|
CPE | cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:3.2.0:*:*:*:*:*:*:* | |
CWE | CWE-89 | |
References | (MISC) https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727 - Exploit, Issue Tracking, Third Party Advisory | |
References | (CONFIRM) https://github.com/coreruleset/coreruleset/pull/1793 - Exploit, Issue Tracking, Patch, Third Party Advisory |
02 Sep 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-02 18:15
Updated : 2023-12-10 14:35
NVD link : CVE-2020-22669
Mitre link : CVE-2020-22669
CVE.ORG link : CVE-2020-22669
JSON object : View
Products Affected
owasp
- owasp_modsecurity_core_rule_set
debian
- debian_linux
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')