VulnerableCode Package Details - pkg:deb/debian/modsecurity@3.0.4-2?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
VCID-93qw-yjha-tyce Aliases: CVE-2024-1019	ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.	3.0.12-1 Affected by 0 other vulnerabilities. 3.0.14-1 Affected by 0 other vulnerabilities.
VCID-azf2-ue64-y7eb Aliases: CVE-2023-38285	mod_security: DoS Vulnerability in Four Transformations	3.0.9-1+deb12u1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.10-1 Affected by 0 other vulnerabilities. 3.0.14-1 Affected by 0 other vulnerabilities.
VCID-kg7a-8fqh-mffc Aliases: CVE-2021-42717	security update	3.0.6-1 Affected by 0 other vulnerabilities. 3.0.9-1+deb12u1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.14-1 Affected by 0 other vulnerabilities.
VCID-y8ty-2cp5-y3gm Aliases: CVE-2022-48279	mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass	3.0.8-1 Affected by 0 other vulnerabilities. 3.0.9-1+deb12u1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.14-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-93qw-yjha-tyce
Aliases:
CVE-2024-1019

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.

3.0.12-1
Affected by 0 other vulnerabilities.

3.0.14-1
Affected by 0 other vulnerabilities.

VCID-azf2-ue64-y7eb
Aliases:
CVE-2023-38285

mod_security: DoS Vulnerability in Four Transformations

3.0.9-1+deb12u1
Affected by 1 other vulnerability.

3.0.10-1
Affected by 0 other vulnerabilities.

3.0.14-1
Affected by 0 other vulnerabilities.

VCID-kg7a-8fqh-mffc
Aliases:
CVE-2021-42717

security update

3.0.6-1
Affected by 0 other vulnerabilities.

3.0.9-1+deb12u1
Affected by 1 other vulnerability.

3.0.14-1
Affected by 0 other vulnerabilities.

VCID-y8ty-2cp5-y3gm
Aliases:
CVE-2022-48279

mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass

3.0.8-1
Affected by 0 other vulnerabilities.

3.0.9-1+deb12u1
Affected by 1 other vulnerability.

3.0.14-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cq83-mkc9-g3e2	Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.	CVE-2019-19886
VCID-gr7r-94ky-x3ck	security update	CVE-2020-15598
VCID-htwm-7xz4-q3c7	mod_security: Libmodsecurity3 has possible bypass of encoded HTML entities	CVE-2025-27110
VCID-m634-5nyb-skeu	ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.	CVE-2019-25043
VCID-mhtt-q3pz-q7ct	mod_security: a segfault and a resultant crash of a worker process in some configurations with certain inputs	CVE-2023-28882

Vulnerability

Summary

Aliases

VCID-cq83-mkc9-g3e2

Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.

CVE-2019-19886

VCID-gr7r-94ky-x3ck

security update

CVE-2020-15598

VCID-htwm-7xz4-q3c7

mod_security: Libmodsecurity3 has possible bypass of encoded HTML entities

CVE-2025-27110

VCID-m634-5nyb-skeu

ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.

CVE-2019-25043

VCID-mhtt-q3pz-q7ct

mod_security: a segfault and a resultant crash of a worker process in some configurations with certain inputs

CVE-2023-28882

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:16:21.422816+00:00	Debian Importer	Fixing	VCID-gr7r-94ky-x3ck	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:45:35.525118+00:00	Debian Importer	Fixing	VCID-htwm-7xz4-q3c7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:08:00.657908+00:00	Debian Importer	Fixing	VCID-m634-5nyb-skeu	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:48:36.848977+00:00	Debian Importer	Fixing	VCID-mhtt-q3pz-q7ct	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:55:36.130686+00:00	Debian Importer	Fixing	VCID-cq83-mkc9-g3e2	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:08:25.204911+00:00	Debian Importer	Fixing	VCID-gr7r-94ky-x3ck	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:45:02.919529+00:00	Debian Importer	Fixing	VCID-htwm-7xz4-q3c7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:48:20.659109+00:00	Debian Importer	Fixing	VCID-m634-5nyb-skeu	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:33:17.702075+00:00	Debian Importer	Fixing	VCID-mhtt-q3pz-q7ct	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:59:25.982430+00:00	Debian Importer	Fixing	VCID-cq83-mkc9-g3e2	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:46:02.363321+00:00	Debian Importer	Fixing	VCID-htwm-7xz4-q3c7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.309144+00:00	Debian Importer	Affected by	VCID-93qw-yjha-tyce	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.267409+00:00	Debian Importer	Affected by	VCID-azf2-ue64-y7eb	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.233463+00:00	Debian Importer	Fixing	VCID-mhtt-q3pz-q7ct	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.175541+00:00	Debian Importer	Affected by	VCID-y8ty-2cp5-y3gm	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.137375+00:00	Debian Importer	Affected by	VCID-kg7a-8fqh-mffc	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.116649+00:00	Debian Importer	Fixing	VCID-gr7r-94ky-x3ck	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.089248+00:00	Debian Importer	Fixing	VCID-m634-5nyb-skeu	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:02.053255+00:00	Debian Importer	Fixing	VCID-cq83-mkc9-g3e2	https://security-tracker.debian.org/tracker/data/json	38.1.0