CVE-2022-39957

EPSS 0.12%
Published 20.09.2022 07:15:12
Last modified 21.11.2024 07:18:33
Source vulnerability@ncsc.ch
Teams watchlist Login
Open Login

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Affected products Warnungen 0 Metrics 3 CWE 2 References 9

Data is provided by the National Vulnerability Database (NVD)

Owasp ≫ Owasp Modsecurity Core Rule Set Version >= 3.0.0 < 3.2.2

Owasp ≫ Owasp Modsecurity Core Rule Set Version >= 3.3.0 < 3.3.3

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Fedoraproject ≫ Fedora Version37

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.12%	0.312

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulnerability@ncsc.ch	7.3	3.9	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-693 Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html

Third Party Advisory

Mailing List

https://security.gentoo.org/glsa/202305-25

https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

Patch

Vendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/

https://nvd.nist.gov/vuln/detail/CVE-2022-39957

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39957

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39957

EUVD