Debian Modsecurity vulnerabilities

9 known vulnerabilities affecting debian/modsecurity.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM1LOW1

Vulnerabilities

Page 1 of 1
CVE-2025-27110LOWCVSS 7.9fixed in modsecurity 3.0.14-1 (forky)2025
CVE-2025-27110 [HIGH] CVE-2025-27110: modsecurity - Libmodsecurity is one component of the ModSecurity v3 project. The library codeb... Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zero
debian
CVE-2024-1019HIGHCVSS 8.6fixed in modsecurity 3.0.12-1 (forky)2024
CVE-2024-1019 [HIGH] CVE-2024-1019: modsecurity - ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for pat... ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-
debian
CVE-2023-28882HIGHCVSS 7.5fixed in modsecurity 3.0.9-1 (bookworm)2023
CVE-2023-28882 [HIGH] CVE-2023-28882: modsecurity - Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of servic... Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations. Scope: local bookworm: resolved (fixed in 3.0.9-1) bullseye: resolved forky: resolved (fixed in 3.0.9-1) sid: resolved (fixed in 3.0.9-1) trixie: resolved (fix
debian
CVE-2023-38285HIGHCVSS 7.5fixed in modsecurity 3.0.9-1+deb12u1 (bookworm)2023
CVE-2023-38285 [HIGH] CVE-2023-38285: modsecurity - Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. Scope: local bookworm: resolved (fixed in 3.0.9-1+deb12u1) bullseye: open forky: resolved (fixed in 3.0.10-1) sid: resolved (fixed in 3.0.10-1) trixie: resolved (fixed in 3.0.10-1)
debian
CVE-2022-48279HIGHCVSS 7.3fixed in modsecurity 3.0.8-1 (bookworm)2022
CVE-2022-48279 [HIGH] CVE-2022-48279: modsecurity - In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were i... In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. Scope: local bookworm: resolved (fixed in 3.0.8-1) bullseye: open forky: resolved (fixed in 3.0
debian
CVE-2021-42717HIGHCVSS 7.5fixed in modsecurity 3.0.6-1 (bookworm)2021
CVE-2021-42717 [HIGH] CVE-2021-42717: modsecurity - ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafte... ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available C
debian
CVE-2020-15598HIGHCVSS 7.5fixed in modsecurity 3.0.4-2 (bookworm)2020
CVE-2020-15598 [HIGH] CVE-2020-15598: modsecurity - Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special r... Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a secur
debian
CVE-2019-19886HIGHCVSS 7.5fixed in modsecurity 3.0.4-1 (bookworm)2019
CVE-2019-19886 [HIGH] CVE-2019-19886: modsecurity - Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted req... Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc. Scope: local bookworm: resolved (fixed in 3.0.4-1) bullseye: resolved (fixed in 3.0.4-1) fork
debian
CVE-2019-25043MEDIUMCVSS 5.3fixed in modsecurity 3.0.4-1 (bookworm)2019
CVE-2019-25043 [MEDIUM] CVE-2019-25043: modsecurity - ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated ... ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header. Scope: local bookworm: resolved (fixed in 3.0.4-1) bullseye: resolved (fixed in 3.0.4-1) forky: resolved (fixed in 3.0.4-1) sid: resolved (fixed in 3.0.4-1) trixie: resolved (fixed in 3.0.4
debian