Upstream information
Description
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
| CVSS detail | CNA (Switzerland Government Common Vulnerability Program) | National Vulnerability Database | SUSE |
|---|---|---|---|
| Base Score | 7.3 | 9.8 | 7.3 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Network | Network | Network |
| Attack Complexity | Low | Low | Low |
| Privileges Required | None | None | None |
| User Interaction | None | None | None |
| Scope | Unchanged | Unchanged | Unchanged |
| Confidentiality Impact | Low | High | Low |
| Integrity Impact | Low | High | Low |
| Availability Impact | Low | High | Low |
| CVSSv3 Version | 3.1 | 3.1 | 3.1 |
SUSE Timeline for this CVE
CVE page created: Tue Sep 20 18:29:29 2022CVE page last modified: Fri Nov 7 12:00:05 2025