2262017 – (CVE-2024-1019) CVE-2024-1019 libmodsecurity: WAF bypass for path-based payloads

Bug 2262017 (CVE-2024-1019) - CVE-2024-1019 libmodsecurity: WAF bypass for path-based payloads

Summary: CVE-2024-1019 libmodsecurity: WAF bypass for path-based payloads

Keywords:
Status:	NEW
Alias:	CVE-2024-1019
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2262018 2262019
Blocks:	2262016
TreeView+	depends on / blocked

Reported:	2024-01-30 22:41 UTC by Patrick Del Bello
Modified:	2024-01-30 22:42 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2024-01-30 22:41:56 UTC

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.

https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30

Comment 1 Patrick Del Bello 2024-01-30 22:42:15 UTC

Created libmodsecurity tracking bugs for this issue:

Affects: epel-all [bug 2262019]
Affects: fedora-all [bug 2262018]

Note You need to log in before you can comment on or make changes to this bug.