CVE-2020-15598
published 2020-10-06CVE-2020-15598: Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.14%
86.3th percentile
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the administrator to decide on when it is appropriate to trade resources for potential security benefit
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | modsecurity | < modsecurity 3.0.4-2 (bookworm) | modsecurity 3.0.4-2 (bookworm) |
| owasp | modsecurity | 3.0.0 – 3.0.4 | — |
| trustwave | modsecurity | >= 0 < 3.0.4-2 | 3.0.4-2 |
| trustwave | modsecurity | >= 0 < 3.0.4-2 | 3.0.4-2 |
| trustwave | modsecurity | >= 0 < 3.0.4-2 | 3.0.4-2 |
| trustwave | modsecurity | >= 0 < 3.0.4-2 | 3.0.4-2 |
| trustwave | modsecurity | >= 0 < 3.0.4-2 | 3.0.4-2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ff2c-wgr6-2p58: ** DISPUTED ** Trustwave ModSecurity 3
ghsa_unreviewed·2022-05-24
CVE-2020-15598 [HIGH] CWE-835 GHSA-ff2c-wgr6-2p58: ** DISPUTED ** Trustwave ModSecurity 3
** DISPUTED ** Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the admini
OSV
CVE-2020-15598: Trustwave ModSecurity 3
osv·2020-10-06·CVSS 7.5
CVE-2020-15598 [HIGH] CVE-2020-15598: Trustwave ModSecurity 3
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the administrator to deci
OSV
CVE-2020-15598: ** DISPUTED ** Trustwave ModSecurity 3
osv·2020-10-06·CVSS 7.5
CVE-2020-15598 [HIGH] CVE-2020-15598: ** DISPUTED ** Trustwave ModSecurity 3
** DISPUTED ** Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the admini
Debian
CVE-2020-15598: modsecurity - Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special r...
vendor_debian·2020·CVSS 7.5
CVE-2020-15598 [HIGH] CVE-2020-15598: modsecurity - Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special r...
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the administrator to deci
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS [epel-7]
bugzilla·2020-09-16·CVSS 7.5
CVE-2020-15598 [HIGH] CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS [epel-7]
CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for
Bugzilla
CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS [fedora-all]
bugzilla·2020-09-16·CVSS 7.5
CVE-2020-15598 [HIGH] CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS [fedora-all]
CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS
bugzilla·2020-09-16·CVSS 7.5
CVE-2020-15598 [HIGH] CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS
CVE-2020-15598 libmodsecurity: specially crafted payload could result in a DoS
ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the
global matching of regular expressions. The combination of a non-anchored
regular expression and the ModSecurity “capture” action can be exploited via a
specially crafted payload.
Known Affected Software Configurations:
ModSecurity v3.0.0
ModSecurity v3.0.1
ModSecurity v3.0.2
ModSecurity v3.0.3
ModSecurity v3.0.4 (patch for this version available
Discussion:
External References:
https://coreruleset.org/20200914/cve-2020-15598/
---
Created libmodsecurity tracking bugs for this issue:
Affects: epel-7 [bug 1879590]
Affects: fedora-all [bug 1879589]
---
This CVE Bugzilla entry is for community support informational purposes onl
http://packetstormsecurity.com/files/159185/ModSecurity-3.0.x-Denial-Of-Service.htmlhttp://seclists.org/fulldisclosure/2020/Sep/32https://coreruleset.org/20200914/cve-2020-15598/https://www.debian.org/security/2020/dsa-4765https://www.modsecurity.orghttp://packetstormsecurity.com/files/159185/ModSecurity-3.0.x-Denial-Of-Service.htmlhttp://seclists.org/fulldisclosure/2020/Sep/32https://coreruleset.org/20200914/cve-2020-15598/https://www.debian.org/security/2020/dsa-4765https://www.modsecurity.org
2020-10-06
Published