[SECURITY] Fedora 36 Update: libmodsecurity-3.0.8-1.fc36

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. In general, it provides the capability to load/interpret rules written in the ModSecurity...

[SECURITY] Fedora 35 Update: mod_security-2.9.6-1.fc35

ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks...

[SECURITY] Fedora 36 Update: mod_security-2.9.6-1.fc36

ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks...

SQL Injection

modsecurity-crs:sid is vulnerable to SQL injection. An authenticated attacker is able to inject and execute arbitrary SQL commands in the database through comment characters and variable assignments in the SQL syntax...

Authorization Bypass

modsecurity-crs:sid is vulnerable to authorization bypass. The vulnerability exists due to encoded payload bypass detection, allowing an attacker to cause a specially malicious HTTP Content-Type header field...

Authorization Bypass

modsecurity-crs:sid is vulnerable to authorization bypass. The vulnerability exists due to character encoding scheme, allowing an attacker to cause a specially malicious HTTP multipart requests to bypass detection...

Authorization Bypass

modsecurity-crs:sid is vulnerable to authorization bypass. The vulnerability exists due to repeated payloads with a HTTP range header field, allowing an attacker to do a response body bypass by accessing to restricted resources...

The vulnerability of the network firewall used for protecting web applications, Trustwave ModSecurity, arises from the execution of a loop with an unavailable exit condition. This allows attackers to trigger a service failure.

The vulnerability of the network firewall used for protecting web applications, Trustwave ModSecurity, is related to the execution of a loop with an unavailable exit condition. Exploiting this vulnerability allows a malicious actor to trigger a service failure through a specially crafted HTTP...

CVE-2022-39958

A flaw was found in the OWASP ModSecurity Core Rule Set. Repeated payloads with a HTTP range header field with a small byte range allows a response body bypass, resulting in access to restricted resources...

CVE-2022-39957

A flaw was found in the OWASP ModSecurity Core Rule Set. A payload with a HTTP accept header field containing a charset that can't be decoded by the Web Application Firewall allows a response body bypass, resulting in access to restricted resources...

CVE-2022-39955

A flaw was found in the OWASP ModSecurity Core Rule Set. A specially crafted HTTP Content-Type header field allows an encoded payload bypass detection, which may be decoded in the back-end application...

CVE-2022-39956

A flaw was found in the OWASP ModSecurity Core Rule Set. A payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields allows HTTP multipart requests to bypass detection...

OESA-2022-1954 mod_security security update

This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more...

CVE-2022-39958

The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...

CVE-2022-39957

The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web...

CVE-2022-39955

The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" nam...

CVE-2022-39956

The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and...

CVE-2022-39958

The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...

CVE-2022-39955

The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" nam...

CVE-2022-39956

The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and...