PT-2023-26332 · Owasp +1 · Coreruleset +1
Published
2023-07-13
·
Updated
2023-09-05
·
CVE-2023-38199
9.8
Critical
| Base vector | Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
coreruleset (aka OWASP ModSecurity Core Rule Set) versions 3.3.4 and earlier
Description:
The issue allows attackers to potentially bypass a Web Application Firewall (WAF) using a crafted payload, exploiting "Content-Type confusion" between the WAF and the backend application. This happens when the web application relies solely on the last Content-Type header. Different platforms may handle additional Content-Type headers in various ways, such as rejecting them or merging conflicting headers, which could lead to detection as a malformed header.
Recommendations:
For coreruleset (aka OWASP ModSecurity Core Rule Set) versions 3.3.4 and earlier, consider updating to a version that addresses this issue, as no specific workaround is provided for these versions.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Type Confusion
Weakness Enumeration
Related Identifiers
Affected Products
References · 12
- https://github.com/coreruleset/coreruleset/issues/3191⭐ 2312 🔗 385 · Patch
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38199 · Security Note
- https://ubuntu.com/security/CVE-2023-38199 · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-38199 · Security Note
- https://security-tracker.debian.org/tracker/CVE-2023-38199 · Vendor Advisory
- https://osv.dev/vulnerability/CVE-2023-38199 · Vendor Advisory
- https://osv.dev/vulnerability/UBUNTU-CVE-2023-38199 · Vendor Advisory
- https://security-tracker.debian.org/tracker/source-package/modsecurity-crs · Vendor Advisory
- https://cve.org/CVERecord?id=CVE-2023-38199 · Security Note
- https://github.com/coreruleset/coreruleset/pull/3237⭐ 2312 🔗 385 · Note
- https://packages.debian.org/src:modsecurity-crs · Note
- https://t.me/cibsecurity/66617 · Telegram Post