CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1019 – WAF bypass of the ModSecurity v3 release line
https://notcve.org/view.php?id=CVE-2024-1019
30 Jan 2024 — ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulne... • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34KDQNZE2RS3CWFG5654LNHKXXDPIW5I • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38285
https://notcve.org/view.php?id=CVE-2023-38285
26 Jul 2023 — Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. • https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285 • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28882
https://notcve.org/view.php?id=CVE-2023-28882
28 Apr 2023 — Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations. • https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-309 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48279 – mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass
https://notcve.org/view.php?id=CVE-2022-48279
20 Jan 2023 — In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. En ModSecurity anterior a 2.9.6 y 3.x anterior a 3.0.8, las solicitudes HTTP multiparte se analizaban incorrectamente y podían omitir el Firewall de aplicaciones web. NOTA: esto está relacionado con CVE-2022-39956, pero puede considerarse camb... • https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves • CWE-436: Interpretation Conflict CWE-1389: Incorrect Parsing of Numbers with Different Radices •
CVSS: 7.5EPSS: 1%CPEs: 10EXPL: 2CVE-2021-42717 – Ubuntu Security Notice USN-6370-1
https://notcve.org/view.php?id=CVE-2021-42717
07 Dec 2021 — ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. ModSecurity versiones 3.x hasta 3.0.5, ... • https://github.com/EkamSinghWalia/Detection-and-Mitigation-script-for-CVE-2021-42717 • CWE-674: Uncontrolled Recursion •