CVE-2022-39955

Name of the Vulnerable Software and Affected Versions OWASP ModSecurity Core Rule Set (CRS) versions 3.0.x through 3.3.2

Description The issue concerns a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type charset names, thereby bypassing the configurable CRS Content-Type header charset allow list. An encoded payload can bypass CRS detection and may then be decoded by the backend.

Recommendations For versions 3.0.x and 3.1.x, upgrade to a newer version as these are legacy and no longer supported. For version 3.2.1, upgrade to 3.2.2. For version 3.3.2, upgrade to 3.3.3. As a temporary workaround, consider restricting the use of multiple charset names in the Content-Type header field to minimize the risk of exploitation.