Bug 2131317 (CVE-2022-39956) - CVE-2022-39956 mod_security_crs: Content-Type or Content-Transfer-Encoding MIME header fields abuse
Summary: CVE-2022-39956 mod_security_crs: Content-Type or Content-Transfer-Encoding MI...
Keywords:
Status: NEW
Alias: CVE-2022-39956
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2131318 2131346 2131347
Blocks: 2128790
TreeView+ depends on / blocked
 
Reported: 2022-09-30 17:03 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-07 08:27 UTC (History)
3 users (show)

Fixed In Version: mod_security_crs 3.2.2, mod_security_crs 3.3.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the OWASP ModSecurity Core Rule Set. A payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields allows HTTP multipart requests to bypass detection.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-09-30 17:03:56 UTC
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

Reference:
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

Comment 1 Guilherme de Almeida Suckevicz 2022-09-30 17:04:11 UTC
Created mod_security_crs tracking bugs for this issue:

Affects: fedora-all [bug 2131318]


Note You need to log in before you can comment on or make changes to this bug.