CVE-2020-22669 — SQL Injection in Modsecurity-crs

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 50.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Modsecurity-crs Debian Linux Owasp Modsecurity Core Rule SET

Timeline

PublishedSep 2

Latest updateSep 3

Description

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDowasp/owasp_modsecurity_core_rule_set3.2.0

▶debiandebian/modsecurity-crs< modsecurity-crs 3.3.2-1 (bookworm)

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-rj75-2px6-36w6: Modsecurity owasp-modsecurity-crs 3↗2022-09-03

▶

OSV

CVE-2020-22669: Modsecurity owasp-modsecurity-crs 3↗2022-09-02

▶

📋Vendor Advisories

Debian

CVE-2020-22669: modsecurity-crs - Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL inject...↗2020

▶