Skip to main content

Owasp Modsecurity Core Rule Set CVE-2022-39958

HIGH
Incorrect Authorization (CWE-863)
2022-09-20 vulnerability@ncsc.ch
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 20, 2022 - 07:15 nvd
HIGH 7.5

DescriptionNVD

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.

AnalysisAI

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher. Affected products include: Owasp Owasp Modsecurity Core Rule Set, Fedoraproject Fedora, Debian Debian Linux.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

CVE-2021-35368 CRITICAL POC
9.8 Nov 05

OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request

CVE-2026-21876 CRITICAL POC
9.3 Jan 08

OWASP Core Rule Set (CRS) before 4.22.0 and 3.3.8 has a bug in rule 922110 that allows WAF bypass on multipart requests.

CVE-2019-13464 HIGH POC
7.5 Jul 09

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2018-16384 HIGH POC
7.5 Sep 03

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0

CVE-2022-39956 CRITICAL
9.8 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submit

CVE-2022-39955 CRITICAL
9.8 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTT

CVE-2019-11391 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2019-11390 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2019-11389 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2019-11388 MEDIUM POC
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

CVE-2022-39957 HIGH
7.5 Sep 20

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. Rated high severity (CVSS 7.5), this vu

CVE-2019-11387 MEDIUM
5.3 Apr 21

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. Rated medium severity (CVSS 5.3), this v

Share

CVE-2022-39958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy