Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-39958

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.

Published

2022-09-20T07:15:12.417

Last Modified

2024-11-21T07:18:33.980

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-863
Type: Primary
CWE-116

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	owasp	owasp_modsecurity_core_rule_set	< 3.2.2	Yes
Application	owasp	owasp_modsecurity_core_rule_set	< 3.3.3	Yes
Operating System	fedoraproject	fedora	35	Yes
Operating System	fedoraproject	fedora	36	Yes
Operating System	fedoraproject	fedora	37	Yes
Operating System	debian	debian_linux	10.0	Yes

References

https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ Patch, Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ ([email protected])
https://security.gentoo.org/glsa/202305-25 ([email protected])
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202305-25 (af854a3a-2127-422b-91ae-364da2661108)