CVE Vulnerabilities

CVE-2022-39957

Protection Mechanism Failure

Published: Sep 20, 2022 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
7.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Ubuntu
LOW

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional charset parameter in order to receive the response in an encoded form. Depending on the charset, this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Weakness

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Affected Software

Name Vendor Start Version End Version
Owasp_modsecurity_core_rule_set Owasp 3.0.0 (including) 3.2.2 (excluding)
Owasp_modsecurity_core_rule_set Owasp 3.3.0 (including) 3.3.3 (excluding)
Modsecurity-crs Ubuntu bionic *
Modsecurity-crs Ubuntu kinetic *
Modsecurity-crs Ubuntu lunar *
Modsecurity-crs Ubuntu mantic *
Modsecurity-crs Ubuntu trusty *
Modsecurity-crs Ubuntu xenial *

References