0Md3V

**Name of the Vulnerable Software and Affected Versions** OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0 **Description** An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) that allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators in the "/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf" API endpoint. **Recommendations** For OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0, as a temporary workaround, consider restricting access to the "/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0 **Description** An issue was discovered that allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with `$a#` at the beginning and nested repetition operators in the `/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf` endpoint. **Recommendations** For OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0, as a temporary workaround, consider restricting access to the `/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf` endpoint to minimize the risk of exploitation.