CVE-2022-39955 Partial rule set bypass in OWASP ModSecurity Core Rule Set by submitting a specially crafted HTTP Content-Type header

2022-09-2000:00:00

CWE-863

NCSC.ch

www.cve.org

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

9.3 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.6%

JSON

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type “charset” names and therefore bypassing the configurable CRS Content-Type header “charset” allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

CNA Affected

[
  {
    "vendor": "OWASP",
    "product": "ModSecurity Core Rule Set",
    "versions": [
      {
        "version": "3.0.x",
        "status": "affected"
      },
      {
        "version": "3.1.x",
        "status": "affected"
      },
      {
        "version": "unspecified",
        "lessThanOrEqual": "3.2.1",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThanOrEqual": "3.3.2",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]