Skip to main content

Owasp Modsecurity Core Rule Set CVE-2019-11391

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2019-04-21 cve@mitre.org
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
CVE Published
Apr 21, 2019 - 02:29 nvd
MEDIUM 5.3

DescriptionNVD

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a

at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity

AnalysisAI

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a

at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity Affected products include: Modsecurity Owasp Modsecurity Core Rule Set. Version information: through 3.1.0..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

CVE-2021-35368 CRITICAL POC
9.8 Nov 05

OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request

CVE-2026-21876 CRITICAL POC
9.3 Jan 08

OWASP Core Rule Set (CRS) before 4.22.0 and 3.3.8 has a bug in rule 922110 that allows WAF bypass on multipart requests.

CVE-2019-13464 HIGH POC
7.5 Jul 09

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2018-16384 HIGH POC
7.5 Sep 03

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0

CVE-2022-39956 CRITICAL
9.8 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submit

CVE-2022-39955 CRITICAL
9.8 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTT

CVE-2019-11390 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2019-11389 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2019-11388 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2022-39958 HIGH
7.5 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and und

CVE-2022-39957 HIGH
7.5 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. Rated high severity (CVSS 7.5), this vu

CVE-2019-11387 MEDIUM
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

Share

CVE-2019-11391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy