Airween

**Name of the Vulnerable Software and Affected Versions** ModSecurity versions prior to 2.9.10 **Description** The issue is a denial of service vulnerability. It affects the `sanitiseArg` (and its alias `sanitizeArg`) action, which is vulnerable to adding an excessive number of arguments, leading to denial of service. **Recommendations** For versions prior to 2.9.10, update to version 2.9.10 to resolve the issue. As a temporary workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.

**Name of the Vulnerable Software and Affected Versions** ModSecurity / libModSecurity versions 3.0.0 through 3.0.11 **Description** The issue is related to a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component, resulting in an impedance mismatch versus RFC compliant back-end applications. This hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. **Recommendations** For ModSecurity / libModSecurity versions 3.0.0 through 3.0.11, upgrade to version 3.0.12 to resolve the issue. As a temporary workaround, consider restricting the use of percent-encoded characters in request URLs to minimize the risk of exploitation. Additionally, review and adjust WAF rules to ensure they properly inspect the URL path component.

**Name of the Vulnerable Software and Affected Versions** Trustwave ModSecurity versions 3.0.5 through 3.0.8 **Description** The issue allows a denial of service, causing worker crash and unresponsiveness. This occurs because some inputs cause a segfault in the `Transaction` class for certain configurations. **Recommendations** For Trustwave ModSecurity versions 3.0.5 through 3.0.8, update to version 3.0.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Trustwave ModSecurity versions 3.0.0 through 3.0.3 **Description** The issue allows an attacker to send crafted requests that may lead to the server becoming slow or unresponsive due to a flaw in `Transaction::addRequestHeader` in `transaction.cc`. This can cause a Denial of Service when sent quickly in large volumes. **Recommendations** For Trustwave ModSecurity versions 3.0.0 through 3.0.3, update to a version outside of this range to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.