Lucene search

[email protected]NVD:CVE-2021-42717

HistoryDec 07, 2021 - 10:15 p.m.

CVE-2021-42717

2021-12-0722:15:06

CWE-674

[email protected]

web.nvd.nist.gov

modsecurity

vulnerability

json

web server

nginx

cpu

modsecurity 3.x

modsecurity 2

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.004

Percentile

74.8%

JSON

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

Affected configurations

Nvd

Node

trustwavemodsecurityRange2.0.0–2.9.5

trustwavemodsecurityRange3.0.0–3.0.6

Node

f5nginx_modsecurity_wafMatchr24

f5nginx_modsecurity_wafMatchr25

Node

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

Node

oraclehttp_serverMatch12.2.1.3.0

oraclehttp_serverMatch12.2.1.4.0

oraclezfs_storage_appliance_kitMatch8.8

VendorProductVersionCPE
trustwavemodsecurity*cpe:2.3:a:trustwave:modsecurity:*:*:*:*:*:*:*:*
f5nginx_modsecurity_wafr24cpe:2.3:a:f5:nginx_modsecurity_waf:r24:*:*:*:*:*:*:*
f5nginx_modsecurity_wafr25cpe:2.3:a:f5:nginx_modsecurity_waf:r25:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
oraclehttp_server12.2.1.3.0cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
oraclehttp_server12.2.1.4.0cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
oraclezfs_storage_appliance_kit8.8cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
trustwave	modsecurity	*	cpe:2.3:a:trustwave:modsecurity::::::::
f5	nginx_modsecurity_waf	r24	cpe:2.3:a:f5:nginx_modsecurity_waf:r24:::::::*
f5	nginx_modsecurity_waf	r25	cpe:2.3:a:f5:nginx_modsecurity_waf:r25:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*
oracle	http_server	12.2.1.3.0	cpe:2.3:a:oracle:http_server:12.2.1.3.0:::::::*
oracle	http_server	12.2.1.4.0	cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*
oracle	zfs_storage_appliance_kit	8.8	cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*