Fedora Account System
Red Hat Associate
Red Hat Customer
In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. https://github.com/SpiderLabs/ModSecurity/pull/2797 https://github.com/SpiderLabs/ModSecurity/pull/2795 https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.8 https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6
Created mod_security tracking bugs for this issue: Affects: fedora-all [bug 2163645] Created mod_security3 tracking bugs for this issue: Affects: fedora-all [bug 2163646]
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2023:4628 https://access.redhat.com/errata/RHSA-2023:4628
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:4629 https://access.redhat.com/errata/RHSA-2023:4629
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-48279