CVE-2022-39958

Name of the Vulnerable Software and Affected Versions OWASP ModSecurity Core Rule Set (CRS) versions 3.0.x through 3.3.2

Description The issue allows for a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access.

Recommendations To resolve the issue, upgrade to version 3.2.2 if currently using version 3.2.1, and upgrade to version 3.3.3 if currently using version 3.3.2. Additionally, configure a CRS paranoia level of 3 or higher. For versions 3.0.x and 3.1.x, upgrade to a supported version and then apply the aforementioned recommendations.