CVE-2024-1019 – WAF bypass of the ModSecurity v3 release line
https://notcve.org/view.php?id=CVE-2024-1019
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34KDQNZE2RS3CWFG5654LNHKXXDPIW5I https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K6ZGABPJK2JPVH2JDFHZ5LQLWGONUH7V https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30 • CWE-20: Improper Input Validation •
CVE-2023-38285
https://notcve.org/view.php?id=CVE-2023-38285
Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. • https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285 https://www.trustwave.com/en-us/resources/security-resources/software-updates/end-of-sale-and-trustwave-support-for-modsecurity-web-application-firewall • CWE-407: Inefficient Algorithmic Complexity •
CVE-2022-48279 – mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass
https://notcve.org/view.php?id=CVE-2022-48279
In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. En ModSecurity anterior a 2.9.6 y 3.x anterior a 3.0.8, las solicitudes HTTP multiparte se analizaban incorrectamente y podían omitir el Firewall de aplicaciones web. NOTA: esto está relacionado con CVE-2022-39956, pero puede considerarse cambios independientes en el código base de ModSecurity (lenguaje C). A vulnerability was found in ModSecurity. • https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves https://github.com/SpiderLabs/ModSecurity/pull/2795 https://github.com/SpiderLabs/ModSecurity/pull/2797 https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6 https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.8 https://lists.debian.org/debian-lts-announce/2023/01/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/52TGCZCOHYBDCVWJYNN2PS4QLOHCXWTQ • CWE-436: Interpretation Conflict CWE-1389: Incorrect Parsing of Numbers with Different Radices •
CVE-2021-42717
https://notcve.org/view.php?id=CVE-2021-42717
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. ModSecurity versiones 3.x hasta 3.0.5, maneja inapropiadamente los objetos JSON excesivamente anidados. • https://github.com/EkamSinghWalia/Detection-and-Mitigation-script-for-CVE-2021-42717 https://lists.debian.org/debian-lts-announce/2022/05/msg00042.html https://www.debian.org/security/2021/dsa-5023 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717 • CWE-674: Uncontrolled Recursion •
CVE-2019-25043
https://notcve.org/view.php?id=CVE-2019-25043
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header. ModSecurity versiones 3.x anteriores a 3.0.4, maneja inapropiadamente el análisis de peers key-value, como es demostrado por un error de "string index out of range" y un bloqueo del proceso de trabajo para un encabezado "Cookie:=abc" • https://github.com/SpiderLabs/ModSecurity/issues/2566 • CWE-755: Improper Handling of Exceptional Conditions •