The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:50
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
21 May 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2023, 19:20
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
First Time |
Debian
Debian debian Linux |
30 Jan 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jan 2023, 14:06
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
14 Nov 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Nov 2022, 20:27
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
|
First Time |
Fedoraproject
Fedoraproject fedora |
|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ - Mailing List, Third Party Advisory |
15 Oct 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Sep 2022, 18:27
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ - Patch, Vendor Advisory | |
CWE | CWE-116 | |
CPE | cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:* | |
First Time |
Owasp
Owasp owasp Modsecurity Core Rule Set |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
20 Sep 2022, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-20 07:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-39957
Mitre link : CVE-2022-39957
CVE.ORG link : CVE-2022-39957
JSON object : View
Products Affected
owasp
- owasp_modsecurity_core_rule_set
debian
- debian_linux
fedoraproject
- fedora