PT-2022-25144 · Owasp+1 · Owasp Modsecurity Core Rule Set+1
Karel Knibbe
+1
·
Published
2022-09-20
·
Updated
2025-08-09
·
CVE-2022-39957
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OWASP ModSecurity Core Rule Set (CRS) versions 3.0.x through 3.3.2
Description
The issue concerns a response body bypass in the OWASP ModSecurity Core Rule Set (CRS). A client can exploit this by issuing an HTTP Accept header field with an optional
charset parameter to receive the response in an encoded form. Depending on the charset, the response may not be decoded by the web application firewall, potentially allowing access to restricted resources without detection.Recommendations
For versions 3.0.x and 3.1.x, upgrade to version 3.2.2 or 3.3.3, respectively.
For version 3.2.1, upgrade to version 3.2.2.
For version 3.3.2, upgrade to version 3.3.3.
Fix
Protection Mechanism Failure
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Owasp Modsecurity Core Rule Set