VulnerableCode Package Details - pkg:deb/debian/modsecurity@3.0.14-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-93qw-yjha-tyce	ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.	CVE-2024-1019
VCID-azf2-ue64-y7eb	mod_security: DoS Vulnerability in Four Transformations	CVE-2023-38285
VCID-cq83-mkc9-g3e2	Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.	CVE-2019-19886
VCID-gr7r-94ky-x3ck	security update	CVE-2020-15598
VCID-htwm-7xz4-q3c7	mod_security: Libmodsecurity3 has possible bypass of encoded HTML entities	CVE-2025-27110
VCID-kg7a-8fqh-mffc	security update	CVE-2021-42717
VCID-m634-5nyb-skeu	ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.	CVE-2019-25043
VCID-mhtt-q3pz-q7ct	mod_security: a segfault and a resultant crash of a worker process in some configurations with certain inputs	CVE-2023-28882
VCID-y8ty-2cp5-y3gm	mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass	CVE-2022-48279

Vulnerability

Summary

Aliases

VCID-93qw-yjha-tyce

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.

CVE-2024-1019

VCID-azf2-ue64-y7eb

mod_security: DoS Vulnerability in Four Transformations

CVE-2023-38285

VCID-cq83-mkc9-g3e2

Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.

CVE-2019-19886

VCID-gr7r-94ky-x3ck

security update

CVE-2020-15598

VCID-htwm-7xz4-q3c7

mod_security: Libmodsecurity3 has possible bypass of encoded HTML entities

CVE-2025-27110

VCID-kg7a-8fqh-mffc

security update

CVE-2021-42717

VCID-m634-5nyb-skeu

ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.

CVE-2019-25043

VCID-mhtt-q3pz-q7ct

mod_security: a segfault and a resultant crash of a worker process in some configurations with certain inputs

CVE-2023-28882

VCID-y8ty-2cp5-y3gm

mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass

CVE-2022-48279

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:16:21.432356+00:00	Debian Importer	Fixing	VCID-gr7r-94ky-x3ck	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:45:35.536940+00:00	Debian Importer	Fixing	VCID-htwm-7xz4-q3c7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:08:00.669133+00:00	Debian Importer	Fixing	VCID-m634-5nyb-skeu	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:48:36.868603+00:00	Debian Importer	Fixing	VCID-mhtt-q3pz-q7ct	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:55:36.143817+00:00	Debian Importer	Fixing	VCID-cq83-mkc9-g3e2	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:08:25.216007+00:00	Debian Importer	Fixing	VCID-gr7r-94ky-x3ck	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:45:02.935451+00:00	Debian Importer	Fixing	VCID-htwm-7xz4-q3c7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:48:20.670058+00:00	Debian Importer	Fixing	VCID-m634-5nyb-skeu	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:33:17.721895+00:00	Debian Importer	Fixing	VCID-mhtt-q3pz-q7ct	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:59:25.996823+00:00	Debian Importer	Fixing	VCID-cq83-mkc9-g3e2	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:46:02.371206+00:00	Debian Importer	Fixing	VCID-htwm-7xz4-q3c7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.317041+00:00	Debian Importer	Fixing	VCID-93qw-yjha-tyce	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.282304+00:00	Debian Importer	Fixing	VCID-azf2-ue64-y7eb	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.250483+00:00	Debian Importer	Fixing	VCID-mhtt-q3pz-q7ct	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.199750+00:00	Debian Importer	Fixing	VCID-y8ty-2cp5-y3gm	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.161774+00:00	Debian Importer	Fixing	VCID-kg7a-8fqh-mffc	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.123358+00:00	Debian Importer	Fixing	VCID-gr7r-94ky-x3ck	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.095892+00:00	Debian Importer	Fixing	VCID-m634-5nyb-skeu	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.062176+00:00	Debian Importer	Fixing	VCID-cq83-mkc9-g3e2	https://security-tracker.debian.org/tracker/data/json	38.1.0