Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-38199

coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.

Published

2023-07-13T03:15:10.023

Last Modified

2024-11-21T08:13:04.113

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-843

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	owasp	coreruleset	≤ 3.3.4	Yes

References

https://github.com/coreruleset/coreruleset/issues/3191 Issue Tracking, Patch ([email protected])
https://github.com/coreruleset/coreruleset/pull/3237 Issue Tracking ([email protected])
https://github.com/coreruleset/coreruleset/issues/3191 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/coreruleset/coreruleset/pull/3237 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)