Skip to main content

Owasp Modsecurity Core Rule Set CVE-2018-16384

HIGH
SQL Injection (CWE-89)
2018-09-03 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 03, 2018 - 02:29 nvd
HIGH 7.5

DescriptionNVD

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {ab} where a is a special function name (such as "if") and b is the SQL statement to be executed.

AnalysisAI

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {ab} where a is a special function name (such as "if") and b is the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {ab} where a is a special function name (such as "if") and b is the SQL statement to be executed. Affected products include: Owasp Owasp Modsecurity Core Rule Set.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2021-35368 CRITICAL POC
9.8 Nov 05

OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request

CVE-2026-21876 CRITICAL POC
9.3 Jan 08

OWASP Core Rule Set (CRS) before 4.22.0 and 3.3.8 has a bug in rule 922110 that allows WAF bypass on multipart requests.

CVE-2019-13464 HIGH POC
7.5 Jul 09

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2022-39956 CRITICAL
9.8 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submit

CVE-2022-39955 CRITICAL
9.8 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTT

CVE-2019-11391 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2019-11390 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2019-11389 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2019-11388 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2022-39958 HIGH
7.5 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and und

CVE-2022-39957 HIGH
7.5 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. Rated high severity (CVSS 7.5), this vu

CVE-2019-11387 MEDIUM
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

Share

CVE-2018-16384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy