Hussein98D

**Name of the Vulnerable Software and Affected Versions** OWASP ModSecurity Core Rule Set (CRS) versions 3.0.x through 3.3.2 **Description** The issue allows for a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. **Recommendations** To resolve the issue, upgrade to version 3.2.2 if currently using version 3.2.1, and upgrade to version 3.3.3 if currently using version 3.3.2. Additionally, configure a CRS paranoia level of 3 or higher. For versions 3.0.x and 3.1.x, upgrade to a supported version and then apply the aforementioned recommendations.