Debian Modsecurity-Apache vulnerabilities

13 known vulnerabilities affecting debian/modsecurity-apache.

Total CVEs
13
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM5LOW2

Vulnerabilities

Page 1 of 1
CVE-2025-48866HIGHCVSS 7.5fixed in modsecurity-apache 2.9.7-1+deb12u1 (bookworm)2025
CVE-2025-48866 [HIGH] CVE-2025-48866: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng... ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of argument
debian
CVE-2025-47947HIGHCVSS 7.5fixed in modsecurity-apache 2.9.7-1+deb12u1 (bookworm)2025
CVE-2025-47947 [HIGH] CVE-2025-47947: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng... ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` ac
debian
CVE-2025-54571MEDIUMCVSS 6.9fixed in modsecurity-apache 2.9.7-1+deb12u2 (bookworm)2025
CVE-2025-54571 [MEDIUM] CVE-2025-54571: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng... ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code
debian
CVE-2025-52891LOWCVSS 6.5fixed in modsecurity-apache 2.9.11-1 (forky)2025
CVE-2025-52891 [MEDIUM] CVE-2025-52891: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng... ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault oc
debian
CVE-2023-24021HIGHCVSS 7.5fixed in modsecurity-apache 2.9.7-1 (bookworm)2023
CVE-2023-24021 [HIGH] CVE-2023-24021: modsecurity-apache - Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may... Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection. Scope: local bookworm: resolved (fixed in 2.9.7-1) bullseye: resolved (fixed in 2.9.3-3+deb11u2) forky: resolved
debian
CVE-2022-48279HIGHCVSS 7.3fixed in modsecurity 3.0.8-1 (bookworm)2022
CVE-2022-48279 [HIGH] CVE-2022-48279: modsecurity - In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were i... In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. Scope: local bookworm: resolved (fixed in 3.0.8-1) bullseye: open forky: resolved (fixed in 3.0
debian
CVE-2021-42717HIGHCVSS 7.5fixed in modsecurity 3.0.6-1 (bookworm)2021
CVE-2021-42717 [HIGH] CVE-2021-42717: modsecurity - ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafte... ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available C
debian
CVE-2013-1915HIGHCVSS 7.5fixed in modsecurity-apache 2.6.6-6 (bookworm)2013
CVE-2013-1915 [HIGH] CVE-2013-1915: modsecurity-apache - ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send H... ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability. Scope: local bookworm: resolved (fixed in 2.6.6-6) bullseye
debian
CVE-2013-5705MEDIUMCVSS 5.0fixed in modsecurity-apache 2.7.7-1 (bookworm)2013
CVE-2013-5705 [MEDIUM] CVE-2013-5705: modsecurity-apache - apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to byp... apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. Scope: local bookworm: resolved (fixed in 2.7.7-1) bullseye: resolved (fixed in 2.7.7-1) forky: resolved (fixed in 2.7.7-1) sid: resolved (fixed in 2.7.7-1) trixie
debian
CVE-2013-2765MEDIUMCVSS 5.0PoCfixed in modsecurity-apache 2.6.6-9 (bookworm)2013
CVE-2013-2765 [MEDIUM] CVE-2013-2765: modsecurity-apache - The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote att... The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header. Scope: local bookworm: resolved (fixed in 2.6.6-9) bullseye: resolved (fixed in 2.6.6-9) forky: resolved
debian
CVE-2012-4528MEDIUMCVSS 5.0PoCfixed in modsecurity-apache 2.6.6-5 (bookworm)2012
CVE-2012-4528 [MEDIUM] CVE-2012-4528: modsecurity-apache - The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote a... The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data. Scope: local bookworm: resolved (fixed in 2.6.6-5) bullseye: resolved (fixed in 2.6.6-5) forky: resolved (fixed in 2.6.6-
debian
CVE-2012-2751MEDIUMCVSS 4.3fixed in modsecurity-apache 2.6.6-1 (bookworm)2012
CVE-2012-2751 [MEDIUM] CVE-2012-2751: modsecurity-apache - ModSecurity before 2.6.6, when used with PHP, does not properly handle single qu... ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NO
debian
CVE-2009-5031LOWCVSS 4.32009
CVE-2009-5031 [MEDIUM] CVE-2009-5031: modsecurity-apache - ModSecurity before 2.5.11 treats request parameter values containing single quot... ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header. Sco
debian