Upstream information

CVE-2022-39955 at MITRE

Description

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 7.3 7.3
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact Low Low
Integrity Impact Low Low
Availability Impact Low Low
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1207440 [NEW]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Tue Sep 20 18:29:29 2022
CVE page last modified: Fri Feb 17 13:02:35 2023