CVE-2022-39955

2022-09-2007:15:12

Debian Security Bug Tracker

security-tracker.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.013 Low

EPSS

Percentile

85.6%

JSON

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type “charset” names and therefore bypassing the configurable CRS Content-Type header “charset” allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

OSVersionArchitecturePackageVersionFilename
Debian12allmodsecurity-crs< 3.3.4-1modsecurity-crs_3.3.4-1_all.deb
Debian11allmodsecurity-crs<= 3.3.0-1+deb11u1modsecurity-crs_3.3.0-1+deb11u1_all.deb
Debian10allmodsecurity-crs< 3.2.3-0+deb10u3modsecurity-crs_3.2.3-0+deb10u3_all.deb
Debian999allmodsecurity-crs< 3.3.4-1modsecurity-crs_3.3.4-1_all.deb
Debian13allmodsecurity-crs< 3.3.4-1modsecurity-crs_3.3.4-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	modsecurity-crs	< 3.3.4-1	modsecurity-crs_3.3.4-1_all.deb
Debian	11	all	modsecurity-crs	<= 3.3.0-1+deb11u1	modsecurity-crs_3.3.0-1+deb11u1_all.deb
Debian	10	all	modsecurity-crs	< 3.2.3-0+deb10u3	modsecurity-crs_3.2.3-0+deb10u3_all.deb
Debian	999	all	modsecurity-crs	< 3.3.4-1	modsecurity-crs_3.3.4-1_all.deb
Debian	13	all	modsecurity-crs	< 3.3.4-1	modsecurity-crs_3.3.4-1_all.deb