Source: modsecurity-crs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for modsecurity-crs. CVE-2022-39955[0]: | The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial | rule set bypass by submitting a specially crafted HTTP Content-Type | header field that indicates multiple character encoding schemes. A | vulnerable back-end can potentially be exploited by declaring multiple | Content-Type "charset" names and therefore bypassing the configurable | CRS Content-Type header "charset" allow list. An encoded payload can | bypass CRS detection this way and may then be decoded by the backend. | The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the | currently supported versions 3.2.1 and 3.3.2. Integrators and users | are advised to upgrade to 3.2.2 and 3.3.3 respectively. https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39956[1]: | The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial | rule set bypass for HTTP multipart requests by submitting a payload | that uses a character encoding scheme via the Content-Type or the | deprecated Content-Transfer-Encoding multipart MIME header fields that | will not be decoded and inspected by the web application firewall | engine and the rule set. The multipart payload will therefore bypass | detection. A vulnerable backend that supports these encoding schemes | can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x | are affected, as well as the currently supported versions 3.2.1 and | 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 | respectively. The mitigation against these vulnerabilities depends on | the installation of the latest ModSecurity version (v2.9.6 / v3.0.8). https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39957[2]: | The OWASP ModSecurity Core Rule Set (CRS) is affected by a response | body bypass. A client can issue an HTTP Accept header field containing | an optional "charset" parameter in order to receive the response in an | encoded form. Depending on the "charset", this response can not be | decoded by the web application firewall. A restricted resource, access | to which would ordinarily be detected, may therefore bypass detection. | The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the | currently supported versions 3.2.1 and 3.3.2. Integrators and users | are advised to upgrade to 3.2.2 and 3.3.3 respectively. https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39958[3]: | The OWASP ModSecurity Core Rule Set (CRS) is affected by a response | body bypass to sequentially exfiltrate small and undetectable sections | of data by repeatedly submitting an HTTP Range header field with a | small byte range. A restricted resource, access to which would | ordinarily be detected, may be exfiltrated from the backend, despite | being protected by a web application firewall that uses CRS. Short | subsections of a restricted resource may bypass pattern matching | techniques and allow undetected access. The legacy CRS versions 3.0.x | and 3.1.x are affected, as well as the currently supported versions | 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 | and 3.3.3 respectively and to configure a CRS paranoia level of 3 or | higher. https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39955 https://www.cve.org/CVERecord?id=CVE-2022-39955 [1] https://security-tracker.debian.org/tracker/CVE-2022-39956 https://www.cve.org/CVERecord?id=CVE-2022-39956 [2] https://security-tracker.debian.org/tracker/CVE-2022-39957 https://www.cve.org/CVERecord?id=CVE-2022-39957 [3] https://security-tracker.debian.org/tracker/CVE-2022-39958 https://www.cve.org/CVERecord?id=CVE-2022-39958 Please adjust the affected versions in the BTS as needed.