CVE-2021-42717
https://notcve.org/view.php?id=CVE-2021-42717
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. ModSecurity versiones 3.x hasta 3.0.5, maneja inapropiadamente los objetos JSON excesivamente anidados. • https://github.com/EkamSinghWalia/Detection-and-Mitigation-script-for-CVE-2021-42717 https://lists.debian.org/debian-lts-announce/2022/05/msg00042.html https://www.debian.org/security/2021/dsa-5023 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717 • CWE-674: Uncontrolled Recursion •
CVE-2019-25043
https://notcve.org/view.php?id=CVE-2019-25043
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header. ModSecurity versiones 3.x anteriores a 3.0.4, maneja inapropiadamente el análisis de peers key-value, como es demostrado por un error de "string index out of range" y un bloqueo del proceso de trabajo para un encabezado "Cookie:=abc" • https://github.com/SpiderLabs/ModSecurity/issues/2566 • CWE-755: Improper Handling of Exceptional Conditions •
CVE-2020-15598
https://notcve.org/view.php?id=CVE-2020-15598
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. • http://packetstormsecurity.com/files/159185/ModSecurity-3.0.x-Denial-Of-Service.html http://seclists.org/fulldisclosure/2020/Sep/32 https://coreruleset.org/20200914/cve-2020-15598 https://www.debian.org/security/2020/dsa-4765 https://www.modsecurity.org • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2019-19886
https://notcve.org/view.php?id=CVE-2019-19886
Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc. Trustwave ModSecurity versiones 3.0.0 hasta 3.0.3, permite a un atacante enviar peticiones diseñadas que, cuando se envían rápidamente en grandes volúmenes, conlleva a que el servidor se vuelva lento o no responda (Denegación de Servicio) debido a un fallo en la función Transaction::addRequestHeader en el archivo transaction.cc. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWVUC54OPU7ICFYIXXVGQ5DOTMR4Z6ZY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JI3MNFRNUZD6RAJ5CPQZSUXQXDZ2K7IL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M7IIUNYIEZOWHRWWRVT3FR45MLE6HGDY https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886 • CWE-404: Improper Resource Shutdown or Release •
CVE-2018-13065 – ModSecurity 3.0.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-13065
ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may only apply to environments without a Core Rule Set configured ** EN DISPUTA ** ModSecurity 3.0.0 tiene Cross-Site Scripting (XSS) mediante un atributo onerror de un elemento IMG. NOTA: un tercero ha discutido sobre este problema porque puede que solo aplique a entornos que no tengan configurados Core Rule Set. ModSecurity version 3.0.0 suffers from a cross site scripting vulnerability. • https://github.com/SpiderLabs/ModSecurity/issues/1829 https://hackings8n.blogspot.com/2018/07/cve-2018-13065-modsecurity-300-has-xss.html https://www.exploit-db.com/exploits/44970 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •