CVE-2019-13464

CVE-2019-13464 affects the OWASP ModSecurity Core Rule Set (CRS) 3.0.2. The issue is that using X.Filename instead of X_Filename can bypass some PHP Script Uploads rules because PHP converts dots to underscores in contexts where dots are invalid, allowing certain uploads to escape detection. Publ...

CVE-2019-11391

The CVE-2019-11391 entry concerns OWASP ModSecurity Core Rule Set (CRS) up to version 3.1.0. The vulnerability is tied to /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf, where a specially crafted string beginning with $a# and containing nested repetition operators could cause a denial of service ...

CVE-2019-11389

CVE-2019-11389 affects the OWASP ModSecurity Core Rule Set (CRS) up to version 3.1.0. The issue is in /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf, where a specially crafted string starting with next# and containing nested repetition operators can cause a denial of service (ReDoS) via the regul...

CVE-2019-11390

CVE-2019-11390 affects OWASP ModSecurity Core Rule Set (CRS) up to version 3.1.0. The issue resides in /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf where crafted input using set_error_handler# at the beginning and nested repetition operators can cause a denial of service (ReDOS). The Red Hat/SU...

CVE-2019-11387

The CVE-2019-11387 entry describes a ReDOS vulnerability in OWASP ModSecurity Core Rule Set (CRS) up to version 3.1.0. Specifically, the rule file /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf can be triggered to cause a denial of service by feeding a specially crafted string with nested repeti...

CVE-2019-11388

Affected product: OWASP ModSecurity Core Rule Set (CRS) up to version 3.1.0. Vulnerable component: /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf, where a specially crafted string with nested repetition operators can cause a denial of service (ReDOS). Underlying cause: nested repetition operators...