The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:50
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
21 May 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2023, 19:20
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
First Time |
Debian
Debian debian Linux |
|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html - Mailing List, Third Party Advisory |
30 Jan 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jan 2023, 13:26
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ - Mailing List, Third Party Advisory |
14 Nov 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Nov 2022, 20:19
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
|
First Time |
Fedoraproject
Fedoraproject fedora |
|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ - Mailing List, Third Party Advisory |
15 Oct 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Sep 2022, 18:45
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ - Patch, Vendor Advisory | |
CPE | cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:* | |
CWE | NVD-CWE-Other | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Owasp
Owasp owasp Modsecurity Core Rule Set |
20 Sep 2022, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-20 07:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-39955
Mitre link : CVE-2022-39955
CVE.ORG link : CVE-2022-39955
JSON object : View
Products Affected
fedoraproject
- fedora
owasp
- owasp_modsecurity_core_rule_set
debian
- debian_linux
CWE