CVE-2021-42717
published 2021-12-07CVE-2021-42717: ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | modsecurity | < modsecurity 3.0.6-1 (bookworm) | modsecurity 3.0.6-1 (bookworm) |
| debian | modsecurity-apache | < modsecurity 3.0.6-1 (bookworm) | modsecurity 3.0.6-1 (bookworm) |
| f5 | nginx_modsecurity_waf | — | — |
| f5 | nginx_modsecurity_waf | — | — |
| oracle | http_server | — | — |
| oracle | http_server | — | — |
| oracle | zfs_storage_appliance_kit | — | — |
| owasp | modsecurity | >= 3.0.0 < 3.0.6 | 3.0.6 |
| trustwave | modsecurity | >= 0 < 3.0.6-1 | 3.0.6-1 |
| trustwave | modsecurity | >= 0 < 3.0.6-1 | 3.0.6-1 |
| trustwave | modsecurity | >= 0 < 3.0.6-1 | 3.0.6-1 |
| trustwave | modsecurity | >= 2.0.0 < 2.9.5 | 2.9.5 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH