CVE-2022-39955Incorrect Authorization in Modsecurity Core Rule SET

CWE-863Incorrect Authorization6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
0.2%
top 63.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Owasp Modsecurity Core Rule SETDebian Modsecurity-crsOwasp Modsecurity Core Rule SET+2 more
Timeline
PublishedSep 20
Latest updateSep 13

Description

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS ver

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5owasp/modsecurity_core_rule_setunspecified3.2.1+2
debiandebian/modsecurity-crs< modsecurity-crs 3.3.4-1 (bookworm)

Also affects: Debian Linux 10.0, Fedora 35, 36, 37

Patches

Patch: coreruleset.orgPatch: coreruleset.org

🔴Vulnerability Details

2
GHSA
GHSA-x6xv-j46p-v597: The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field th2022-09-21
OSV
CVE-2022-39955: The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field th2022-09-20

📋Vendor Advisories

2
Red Hat
mod_security_crs: Multiple charsets defined in Content-Type header2022-09-19
Debian
CVE-2022-39955: modsecurity-crs - The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypa...2022

📄Research Papers

1
arXiv
Automatic Generation of a Cryptography Misuse Taxonomy Using Large Language Models2025-09-13
CVE-2022-39955 — Incorrect Authorization | cvebase