Jan Gora

**Name of the Vulnerable Software and Affected Versions** OWASP ModSecurity Core Rule Set (CRS) versions 3.0.x through 3.3.2 **Description** The issue concerns a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type `charset` names, thereby bypassing the configurable CRS Content-Type header `charset` allow list. An encoded payload can bypass CRS detection and may then be decoded by the backend. **Recommendations** For versions 3.0.x and 3.1.x, upgrade to a newer version as these are legacy and no longer supported. For version 3.2.1, upgrade to 3.2.2. For version 3.3.2, upgrade to 3.3.3. As a temporary workaround, consider restricting the use of multiple `charset` names in the Content-Type header field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OWASP ModSecurity Core Rule Set (CRS) versions 3.0.x through 3.3.2 **Description** The issue concerns a partial rule set bypass for HTTP multipart requests. This occurs when a payload uses a character encoding scheme via the `Content-Type` or the deprecated `Content-Transfer-Encoding` multipart MIME header fields. As a result, the web application firewall engine and the rule set will not decode and inspect the payload, allowing it to bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. **Recommendations** For versions 3.0.x and 3.1.x, upgrade to version 3.2.2 or 3.3.3, respectively. For version 3.2.1, upgrade to version 3.2.2. For version 3.3.2, upgrade to version 3.3.3. As a general mitigation measure, install the latest ModSecurity version (v2.9.6 / v3.0.8).