CVE-2022-39957 — Protection Mechanism Failure in Modsecurity Core Rule SET

CWE-693 — Protection Mechanism Failure CWE-116 — Improper Encoding or Escaping of Output5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 75.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Owasp Modsecurity Core Rule SET Debian Modsecurity-crs Owasp Modsecurity Core Rule SET +2 more

Timeline

PublishedSep 20

Latest updateSep 21

Description

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently su…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDowasp/owasp_modsecurity_core_rule_set3.0.0 — 3.2.2+1

▶CVEListV5owasp/modsecurity_core_rule_setunspecified — 3.2.1+2

▶debiandebian/modsecurity-crs< modsecurity-crs 3.3.4-1 (bookworm)

Also affects: Debian Linux 10.0, Fedora 35, 36, 37

Patches

Patch: coreruleset.org ↗Patch: coreruleset.org ↗

🔴Vulnerability Details

GHSA

GHSA-cxqq-h5hh-jgq2: The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass↗2022-09-21

▶

OSV

CVE-2022-39957: The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass↗2022-09-20

▶

📋Vendor Advisories

Red Hat

mod_security_crs: Charset accept header field resulting in response rule set bypass↗2022-09-19

▶

Debian

CVE-2022-39957: modsecurity-crs - The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass....↗2022

▶