The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:50
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
21 May 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2023, 19:20
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html - Mailing List, Third Party Advisory | |
First Time |
Debian
Debian debian Linux |
30 Jan 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jan 2023, 13:56
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
14 Nov 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Nov 2022, 20:18
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ - Mailing List, Third Party Advisory | |
First Time |
Fedoraproject
Fedoraproject fedora |
|
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
15 Oct 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Sep 2022, 18:55
Type | Values Removed | Values Added |
---|---|---|
First Time |
Owasp
Owasp owasp Modsecurity Core Rule Set |
|
CWE | CWE-116 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (CONFIRM) https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ - Patch, Vendor Advisory | |
CPE | cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:* |
20 Sep 2022, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-20 07:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-39956
Mitre link : CVE-2022-39956
CVE.ORG link : CVE-2022-39956
JSON object : View
Products Affected
fedoraproject
- fedora
owasp
- owasp_modsecurity_core_rule_set
debian
- debian_linux