CVE-2023-28882 — Uncontrolled Resource Consumption in Modsecurity

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 73.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trustwave Modsecurity Owasp Modsecurity

Timeline

PublishedApr 28

Description

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debiantrustwave/modsecurity< 3.0.9-1+2

▶NVDowasp/modsecurity3.0.5 — 3.0.9

🔴Vulnerability Details

OSV

CVE-2023-28882: Trustwave ModSecurity 3↗2023-04-28

▶

GHSA

GHSA-wgcm-rvmx-wh95: Trustwave ModSecurity 3↗2023-04-28

▶

CVEList

CVE-2023-28882: Trustwave ModSecurity 3↗2023-04-28

▶

📋Vendor Advisories

Red Hat

mod_security: a segfault and a resultant crash of a worker process in some configurations with certain inputs↗2023-04-28

▶

Debian

CVE-2023-28882: modsecurity - Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of servic...↗2023

▶