CVE-2024-1019 — Improper Input Validation in Modsecurity

CWE-20 — Improper Input Validation7 documents6 sources

Severity

8.6HIGHNVD

EPSS

0.3%

top 46.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trustwave Modsecurity Owasp Modsecurity Owasp Modsecurity Modsecurity

Timeline

PublishedJan 30

Description

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages3 packages

▶NVDowasp/modsecurity3.0.0 — 3.0.12

▶Debiantrustwave/modsecurity< 3.0.12-1+1

▶CVEListV5owasp_modsecurity/modsecurity3.0.0 — 3.0.11

Patches

Patch: owasp.org ↗Patch: owasp.org ↗

🔴Vulnerability Details

GHSA

GHSA-w56r-g989-xqw3: ModSecurity / libModSecurity 3↗2024-01-30

▶

OSV

CVE-2024-1019: ModSecurity / libModSecurity 3↗2024-01-30

▶

CVEList

WAF bypass of the ModSecurity v3 release line↗2024-01-30

▶

📋Vendor Advisories

Debian

CVE-2024-1019: modsecurity - ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for pat...↗2024

▶

💬Community

Bugzilla

CVE-2023-51043 kernel: use-after-free during a race condition between a nonblocking atomic commit and a driver unload in drivers/gpu/drm/drm_atomic.c↗2024-01-24

▶

Bugzilla

CVE-2023-51042 kernel: use-after-free in amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c↗2024-01-23

▶