CVE-2019-11389

Name of the Vulnerable Software and Affected Versions OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0

Description An issue was discovered that allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with next# at the beginning and nested repetition operators in the /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf endpoint.

Recommendations For OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0, as a temporary workaround, consider restricting access to the /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.