The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:50
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
21 May 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2023, 19:20
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html - Mailing List, Third Party Advisory | |
First Time |
Debian
Debian debian Linux |
|
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
30 Jan 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jan 2023, 14:06
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
14 Nov 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Nov 2022, 20:20
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
|
First Time |
Fedoraproject
Fedoraproject fedora |
15 Oct 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Sep 2022, 18:27
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CPE | cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:* | |
CWE | CWE-116 | |
First Time |
Owasp
Owasp owasp Modsecurity Core Rule Set |
|
References | (CONFIRM) https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ - Patch, Vendor Advisory |
20 Sep 2022, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-20 07:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-39958
Mitre link : CVE-2022-39958
CVE.ORG link : CVE-2022-39958
JSON object : View
Products Affected
fedoraproject
- fedora
owasp
- owasp_modsecurity_core_rule_set
debian
- debian_linux