Modsecurity
CVE-2024-46292
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue).
AnalysisAI
A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Buffer Copy without Size Check (CWE-120), which allows attackers to overflow a buffer to corrupt adjacent memory. A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue). Affected products include: Trustwave Modsecurity.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Always validate buffer sizes before copy operations. Use bounded functions (strncpy, snprintf). Enable compiler protections.
More in Modsecurity
View allLibmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is rem
ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` ac
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerabi
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. Rated high severity (CVSS 7.5),
The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver ar
ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. Rated medium severity (CVSS 6.1), this vulnerabili
The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NUL
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer codi
WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle m
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cau
Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. Rated high severity (CVSS 7.5), this vul
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today