111 matches found
MGASA-2024-0070 Updated apache-mod_security-crs packages fix security vulnerabilities
A SQL injection bypass aka PL1 bypass exists in OWASP ModSecurity Core Rule Set owasp-modsecurity-crs through v3.1.0-rc3 via ab where a is a special function name such as "if" and b is the SQL statement to be executed. CVE-2018-16384 Modsecurity owasp-modsecurity-crs 3.2.0 Paranoia level at PL1 h...
CVE-2023-38199
coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...
CVE-2023-38199
The CVE-2023-38199 entry concerns coreruleset (OWASP ModSecurity Core Rule Set) up to version 3.3.4. The issue is that some platforms do not detect multiple Content-Type request headers, which can cause a WAF to be bypassed when an application relies on the last Content-Type header. This is a hea...
CVE-2023-38199
coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...
CVE-2023-38199
coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...
CVE-2023-38199
coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...
OWASP ModSecurity Core Rule Set: Multiple Vulnerabilities
Background Modsecurity Core Rule Set is the OWASP ModSecurity Core Rule Set. Description Multiple vulnerabilities have been discovered in OWASP ModSecurity Core Rule Set. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for detail...
SQL Injection
modsecurity-crs:buster is vulnerable to SQL Injection attacks. An SQL injection bypass exists in OWASP ModSecurity Core Rule Set via ab where a is a special function name such as "if" and b is the SQL statement to be executed...
Fedora 36 : libmodsecurity (2022-afa1e7b6c4)
The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-afa1e7b6c4 advisory. Update to maintenance release 3.0.8 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has no...
CVE-2022-39957
A flaw was found in the OWASP ModSecurity Core Rule Set. A payload with a HTTP accept header field containing a charset that can't be decoded by the Web Application Firewall allows a response body bypass, resulting in access to restricted resources...
CVE-2022-39955
A flaw was found in the OWASP ModSecurity Core Rule Set. A specially crafted HTTP Content-Type header field allows an encoded payload bypass detection, which may be decoded in the back-end application...
CVE-2022-39956
A flaw was found in the OWASP ModSecurity Core Rule Set. A payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields allows HTTP multipart requests to bypass detection...
CVE-2022-39958
The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...
CVE-2022-39956
The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and...
CVE-2022-39955
The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" nam...
CVE-2022-39957
The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web...
CVE-2022-39958
The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...
CVE-2022-39957
The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web...
Authentication flaw
The OWASP ModSecurity Core Rule Set CRS is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...
Design/Logic Flaw
The OWASP ModSecurity Core Rule Set CRS is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" nam...