CVE-2023-50969

Name of the Vulnerable Software and Affected Versions Thales Imperva SecureSphere WAF versions 14.7.0.40 and earlier, without the February 2024 update from the Application Delivery Controller (ADC) Thales Imperva SecureSphere versions prior to the February 2024 update

Description The issue is related to inadequate access control in the Thales Imperva SecureSphere WAF, allowing remote attackers to bypass WAF rules via crafted POST requests. This could lead to devastating breaches, including SQL injection and cross-site scripting (XSS) attacks. The vulnerability can be exploited by sending a request with specially crafted Content-Encoding headers, such as multiple headers or specific combinations like gzip and deflate. The estimated number of potentially affected devices is not specified.

Recommendations For Thales Imperva SecureSphere WAF versions 14.7.0.40 and earlier, without the February 2024 update from the Application Delivery Controller (ADC), update to a version that includes the February 2024 ADC update to fix the vulnerability. For Thales Imperva SecureSphere versions prior to the February 2024 update, apply the February 2024 update to resolve the issue. As a temporary workaround, consider restricting access to the WAF and limiting the use of HTTP requests with multiple Content-Encoding headers until the update is applied.