7.5

CVE-2023-24021

Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TrustwaveModsecurity Version < 2.9.7
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.91% 0.551
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-170 Improper Null Termination

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

https://lists.debian.org/debian-lts-announce/2023/01/msg00023.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/52TGCZCOHYBDCVWJYNN2PS4QLOHCXWTQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYRTXTOQQI6SB2TLI5QXU76DURSLS4XI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WCH6JM4I4MD4YABYFHSBDDOUFDGIFJKL/
https://github.com/SpiderLabs/ModSecurity/pull/2857
Patch
Issue Tracking
https://github.com/SpiderLabs/ModSecurity/pull/2857/commits/4324f0ac59f8225aa44bc5034df60dbeccd1d334
Patch
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7
Release Notes