{"id":"CVE-2023-38199","details":"coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka \"Content-Type confusion\" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.","modified":"2026-04-10T04:58:59.115819Z","published":"2023-07-13T03:15:10.023Z","related":["openSUSE-SU-2024:13187-1"],"references":[{"type":"REPORT","url":"https://github.com/coreruleset/coreruleset/pull/3237"},{"type":"FIX","url":"https://github.com/coreruleset/coreruleset/issues/3191"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/coreruleset/coreruleset","events":[{"introduced":"0"},{"last_affected":"98b9d811f34a1aa72792aaf6245cb2f2c0f0a5b8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.3.4"}]}}],"versions":["v2.2.5","v2.2.6","v2.2.7","v3.0.0-rc1","v3.0.0-rc2","v3.0.0-rc3","v3.0.1","v3.1.0-rc1","v3.2-rc1","v3.2.0-rc1","v3.3.0","v3.3.0-rc1","v3.3.0-rc2","v3.3.1-rc1","v3.3.2","v3.3.3","v3.3.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38199.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}