PT-2022-8647 · Unknown+1 · Owasp-Modsecurity-Crs+2
Themiddleblue
·
Published
2022-09-02
·
Updated
2025-08-09
·
CVE-2020-22669
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Modsecurity owasp-modsecurity-crs version 3.2.0
Description
The issue allows attackers to bypass Modsecurity WAF protection using comment characters and variable assignments in SQL syntax, enabling them to implement SQL injection attacks on web applications.
Recommendations
For Modsecurity owasp-modsecurity-crs version 3.2.0, consider updating the rules to improve protection against SQL injection attacks, and as a temporary workaround, restrict access to sensitive database operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Modsecurity
Owasp-Modsecurity-Crs