{"id":"MGASA-2024-0070","summary":"Updated apache-mod_security-crs packages fix security vulnerabilities","details":"A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core\nRule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a\nis a special function name (such as \"if\") and b is the SQL statement to\nbe executed. (CVE-2018-16384)\nModsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a\nSQL injection bypass vulnerability. Attackers can use the comment\ncharacters and variable assignments in the SQL syntax to bypass\nModsecurity WAF protection and implement SQL injection attacks on Web\napplications. (CVE-2020-22669)\nOWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1,\nand 3.3.x before 3.3.2 is affected by a Request Body Bypass via a\ntrailing pathname. (CVE-2021-35368)\nThe OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule\nset bypass by submitting a specially crafted HTTP Content-Type header\nfield that indicates multiple character encoding schemes. A vulnerable\nback-end can potentially be exploited by declaring multiple Content-Type\n\"charset\" names and therefore bypassing the configurable CRS\nContent-Type header \"charset\" allow list. An encoded payload can bypass\nCRS detection this way and may then be decoded by the backend.\n(CVE-2022-39955)\nThe OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule\nset bypass for HTTP multipart requests by submitting a payload that uses\na character encoding scheme via the Content-Type or the deprecated\nContent-Transfer-Encoding multipart MIME header fields that will not be\ndecoded and inspected by the web application firewall engine and the\nrule set. The multipart payload will therefore bypass detection. A\nvulnerable backend that supports these encoding schemes can potentially\nbe exploited. (CVE-2022-39956)\nThe OWASP ModSecurity Core Rule Set (CRS) is affected by a response body\nbypass. A client can issue an HTTP Accept header field containing an\noptional \"charset\" parameter in order to receive the response in an\nencoded form. Depending on the \"charset\", this response can not be\ndecoded by the web application firewall. A restricted resource, access\nto which would ordinarily be detected, may therefore bypass detection.\n(CVE-2022-39957)\nThe OWASP ModSecurity Core Rule Set (CRS) is affected by a response body\nbypass to sequentially exfiltrate small and undetectable sections of\ndata by repeatedly submitting an HTTP Range header field with a small\nbyte range. A restricted resource, access to which would ordinarily be\ndetected, may be exfiltrated from the backend, despite being protected\nby a web application firewall that uses CRS. Short subsections of a\nrestricted resource may bypass pattern matching techniques and allow\nundetected access. (CVE-2022-39958)\n","modified":"2026-04-16T04:41:15.500834381Z","published":"2024-03-18T16:12:23Z","upstream":["CVE-2018-16384","CVE-2020-22669","CVE-2021-35368","CVE-2022-39955","CVE-2022-39956","CVE-2022-39957","CVE-2022-39958"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0070.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30977"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4Q7DCCE37GT5ZBJOWP4NGUD4L3FAMDB/"},{"type":"WEB","url":"https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6MS5GMNYHFFIBWLJW7N3XAD24SLF3PFZ/"},{"type":"WEB","url":"https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/"},{"type":"WEB","url":"https://www.debian.org/lts/security/2023/dla-3293"}],"affected":[{"package":{"name":"apache-mod_security-crs","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/apache-mod_security-crs?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.5-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0070.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}