CVE-2019-13464 — Unrestricted File Upload in Modsecurity-crs

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 53.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Modsecurity-crs Modsecurity Owasp Modsecurity Core Rule SET

Timeline

PublishedJul 9

Latest updateMay 24

Description

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDmodsecurity/owasp_modsecurity_core_rule_set3.0.2

▶debiandebian/modsecurity-crs< modsecurity-crs 3.2.0-1 (bookworm)

🔴Vulnerability Details

GHSA

GHSA-9qm4-xr26-w9h5: An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3↗2022-05-24

▶

OSV

CVE-2019-13464: An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3↗2019-07-09

▶

📋Vendor Advisories

Debian

CVE-2019-13464: modsecurity-crs - An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X...↗2019

▶