Lucene search
K

111 matches found

OSV
OSV
added 2024/03/18 4:12 p.m.10 views

MGASA-2024-0070 Updated apache-mod_security-crs packages fix security vulnerabilities

A SQL injection bypass aka PL1 bypass exists in OWASP ModSecurity Core Rule Set owasp-modsecurity-crs through v3.1.0-rc3 via ab where a is a special function name such as "if" and b is the SQL statement to be executed. CVE-2018-16384 Modsecurity owasp-modsecurity-crs 3.2.0 Paranoia level at PL1 h...

9.8CVSS7.7AI score0.02542EPSS
Exploits3References7
UbuntuCve
UbuntuCve
added 2023/07/13 3:15 a.m.18 views

CVE-2023-38199

coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...

9.8CVSS7.2AI score0.00631EPSS
Exploits0References3
CVE
CVE
added 2023/07/13 12:0 a.m.50 views

CVE-2023-38199

The CVE-2023-38199 entry concerns coreruleset (OWASP ModSecurity Core Rule Set) up to version 3.3.4. The issue is that some platforms do not detect multiple Content-Type request headers, which can cause a WAF to be bypassed when an application relies on the last Content-Type header. This is a hea...

9.8CVSS9.2AI score0.00631EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2023/07/13 12:0 a.m.17 views

CVE-2023-38199

coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...

6.8AI score0.00631EPSS
Exploits0References2
OSV
OSV
added 2023/07/13 12:0 a.m.16 views

CVE-2023-38199

coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...

9.8CVSS7.1AI score0.00631EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2023/07/13 12:0 a.m.14 views

CVE-2023-38199

coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...

9.8CVSS9.4AI score0.00631EPSS
Exploits0
Gentoo Linux
Gentoo Linux
added 2023/05/21 12:0 a.m.40 views

OWASP ModSecurity Core Rule Set: Multiple Vulnerabilities

Background Modsecurity Core Rule Set is the OWASP ModSecurity Core Rule Set. Description Multiple vulnerabilities have been discovered in OWASP ModSecurity Core Rule Set. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for detail...

9.8CVSS7.4AI score0.02542EPSS
Exploits1
Veracode
Veracode
added 2023/03/11 3:37 a.m.28 views

SQL Injection

modsecurity-crs:buster is vulnerable to SQL Injection attacks. An SQL injection bypass exists in OWASP ModSecurity Core Rule Set via ab where a is a special function name such as "if" and b is the SQL statement to be executed...

7.5CVSS8.5AI score0.01672EPSS
Exploits1References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2022/12/22 12:0 a.m.26 views

Fedora 36 : libmodsecurity (2022-afa1e7b6c4)

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-afa1e7b6c4 advisory. Update to maintenance release 3.0.8 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has no...

9.8CVSS7.5AI score0.02542EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2022/09/30 5:19 p.m.32 views

CVE-2022-39957

A flaw was found in the OWASP ModSecurity Core Rule Set. A payload with a HTTP accept header field containing a charset that can't be decoded by the Web Application Firewall allows a response body bypass, resulting in access to restricted resources...

7.3CVSS1.9AI score0.00771EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2022/09/30 5:18 p.m.42 views

CVE-2022-39955

A flaw was found in the OWASP ModSecurity Core Rule Set. A specially crafted HTTP Content-Type header field allows an encoded payload bypass detection, which may be decoded in the back-end application...

7.3CVSS1.4AI score0.01115EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2022/09/30 5:18 p.m.59 views

CVE-2022-39956

A flaw was found in the OWASP ModSecurity Core Rule Set. A payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields allows HTTP multipart requests to bypass detection...

7.3CVSS1.2AI score0.00952EPSS
Exploits0References4
NVD
NVD
added 2022/09/20 7:15 a.m.28 views

CVE-2022-39958

The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...

7.5CVSS0.00953EPSS
Exploits0References7
NVD
NVD
added 2022/09/20 7:15 a.m.29 views

CVE-2022-39956

The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and...

9.8CVSS0.00952EPSS
Exploits0References7
NVD
NVD
added 2022/09/20 7:15 a.m.23 views

CVE-2022-39955

The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" nam...

9.8CVSS0.01115EPSS
Exploits0References7
NVD
NVD
added 2022/09/20 7:15 a.m.23 views

CVE-2022-39957

The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web...

7.5CVSS0.00771EPSS
Exploits0References7
UbuntuCve
UbuntuCve
added 2022/09/20 7:15 a.m.48 views

CVE-2022-39958

The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...

7.5CVSS7.1AI score0.00953EPSS
Exploits0References2
UbuntuCve
UbuntuCve
added 2022/09/20 7:15 a.m.31 views

CVE-2022-39957

The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web...

7.5CVSS7.1AI score0.00771EPSS
Exploits0References2
Prion
Prion
added 2022/09/20 7:15 a.m.23 views

Authentication flaw

The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...

5CVSS8.4AI score0.00953EPSS
Exploits0References6Affected Software3
Prion
Prion
added 2022/09/20 7:15 a.m.29 views

Design/Logic Flaw

The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" nam...

7.5CVSS9.1AI score0.01115EPSS
Exploits0References6Affected Software3
Rows per page
Query Builder