{"id":"CVE-2019-11391","details":"An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity","modified":"2026-04-10T04:14:12.799551Z","published":"2019-04-21T02:29:00.487Z","references":[{"type":"REPORT","url":"https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357"},{"type":"REPORT","url":"https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spiderlabs/owasp-modsecurity-crs","events":[{"introduced":"0"},{"last_affected":"ab24a20faf28156f0495b0c07f2ff37860a3defe"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.1.0"}]}}],"versions":["2.2.7","v2.2.5","v2.2.6","v3.0.0-rc1","v3.0.0-rc2","v3.0.0-rc3","v3.0.1","v3.1.0","v3.1.0-rc1","v3.1.0-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11391.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}