Source: modsecurity-crs Version: 3.3.7-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for modsecurity-crs. CVE-2026-21876[0]: | The OWASP core rule set (CRS) is a set of generic attack detection | rules for use with compatible web application firewalls. Prior to | versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when | processing multipart requests with multiple parts. When the first | rule in a chain iterates over a collection (like | `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) | get overwritten with each iteration. Only the last captured value is | available to the chained rule, which means malicious charsets in | earlier parts can be missed if a later part has a legitimate | charset. Versions 4.22.0 and 3.3.8 patch the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-21876 https://www.cve.org/CVERecord?id=CVE-2026-21876 [1] https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5 [2] https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
