7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.3 High
AI Score
Confidence
High
0.013 Low
EPSS
Percentile
85.6%
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type “charset” names and therefore bypassing the configurable CRS Content-Type header “charset” allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
[
{
"vendor": "OWASP",
"product": "ModSecurity Core Rule Set",
"versions": [
{
"version": "3.0.x",
"status": "affected"
},
{
"version": "3.1.x",
"status": "affected"
},
{
"version": "unspecified",
"lessThanOrEqual": "3.2.1",
"status": "affected",
"versionType": "custom"
},
{
"version": "unspecified",
"lessThanOrEqual": "3.3.2",
"status": "affected",
"versionType": "custom"
}
]
}
]
coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
lists.debian.org/debian-lts-announce/2023/01/msg00033.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
security.gentoo.org/glsa/202305-25
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.3 High
AI Score
Confidence
High
0.013 Low
EPSS
Percentile
85.6%