Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/518077?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/518077?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.1.0-1%2Bdeb10u2", "type": "deb", "namespace": "debian", "name": "modsecurity-crs", "version": "3.1.0-1+deb10u2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.3.4-1+deb12u3", "latest_non_vulnerable_version": "3.3.4-1+deb12u3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93319?format=api", "vulnerability_id": "VCID-1waf-9gu9-c3ah", "summary": "The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional \"charset\" parameter in order to receive the response in an encoded form. Depending on the \"charset\", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39957.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39957.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39957", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00903", "scoring_system": "epss", "scoring_elements": "0.76082", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00903", "scoring_system": "epss", "scoring_elements": "0.76112", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00903", "scoring_system": "epss", "scoring_elements": "0.76107", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00903", "scoring_system": "epss", "scoring_elements": "0.76099", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00903", "scoring_system": "epss", "scoring_elements": "0.76087", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39957" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39957", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39957" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137", "reference_id": "1021137", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131319", "reference_id": "2131319", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131319" }, { "reference_url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/", "reference_id": "crs-version-3-3-3-and-3-2-2-covering-several-cves", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/" } ], "url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/" }, { "reference_url": "https://security.gentoo.org/glsa/202305-25", "reference_id": "GLSA-202305-25", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/" } ], "url": "https://security.gentoo.org/glsa/202305-25" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/", "reference_id": "HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html", "reference_id": "msg00033.html", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/", "reference_id": "PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/", "reference_id": "YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195617?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3" } ], "aliases": [ "CVE-2022-39957" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1waf-9gu9-c3ah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93310?format=api", "vulnerability_id": "VCID-5nu2-g227-eufq", "summary": "Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-22669", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49684", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49748", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49757", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.4974", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49711", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49727", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-22669" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22669", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22669" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195617?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3" } ], "aliases": [ "CVE-2020-22669" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5nu2-g227-eufq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93299?format=api", "vulnerability_id": "VCID-6uwm-p2bt-zqan", "summary": "A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as \"if\") and b is the SQL statement to be executed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-16384", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49618", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49682", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49692", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49674", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49645", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.4966", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-16384" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16384", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16384" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924352", "reference_id": "924352", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924352" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195616?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1waf-9gu9-c3ah" }, { "vulnerability": "VCID-5nu2-g227-eufq" }, { "vulnerability": "VCID-8ynf-c717-wkd9" }, { "vulnerability": "VCID-9gcu-vd8q-buan" }, { "vulnerability": "VCID-dzcy-8rqk-6fd8" }, { "vulnerability": "VCID-fd1y-9r47-t3ec" }, { "vulnerability": "VCID-h62t-9dbx-tkcv" }, { "vulnerability": "VCID-pmxc-ce56-e7bz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1" } ], "aliases": [ "CVE-2018-16384" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6uwm-p2bt-zqan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93322?format=api", "vulnerability_id": "VCID-8ynf-c717-wkd9", "summary": "The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39958.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39958.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39958", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00571", "scoring_system": "epss", "scoring_elements": "0.68989", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00571", "scoring_system": "epss", "scoring_elements": "0.69036", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00571", "scoring_system": "epss", "scoring_elements": "0.69028", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00571", "scoring_system": "epss", "scoring_elements": "0.69038", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00571", "scoring_system": "epss", "scoring_elements": "0.69031", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00571", "scoring_system": "epss", "scoring_elements": "0.69015", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39958" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39958", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39958" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137", "reference_id": "1021137", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131321", "reference_id": "2131321", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131321" }, { "reference_url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/", "reference_id": "crs-version-3-3-3-and-3-2-2-covering-several-cves", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/" } ], "url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/" }, { "reference_url": "https://security.gentoo.org/glsa/202305-25", "reference_id": "GLSA-202305-25", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/" } ], "url": "https://security.gentoo.org/glsa/202305-25" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/", "reference_id": "HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html", "reference_id": "msg00033.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/", "reference_id": "PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/", "reference_id": "YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195617?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3" } ], "aliases": [ "CVE-2022-39958" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8ynf-c717-wkd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93327?format=api", "vulnerability_id": "VCID-9gcu-vd8q-buan", "summary": "The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21876", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03371", "scoring_system": "epss", "scoring_elements": "0.87604", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.03371", "scoring_system": "epss", "scoring_elements": "0.87603", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.03371", "scoring_system": "epss", "scoring_elements": "0.87606", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21876" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21876", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21876" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125084", "reference_id": "1125084", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125084" }, { "reference_url": "https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83", "reference_id": "80d80473abf71bd49bf6d3c1ab221e3c74e4eb83", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/" } ], "url": "https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83" }, { "reference_url": "https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6", "reference_id": "9917985de09a6cf38b3261faf9105e909d67a7d6", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/" } ], "url": "https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52558.py", "reference_id": "CVE-2026-21876", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52558.py" }, { "reference_url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5", "reference_id": "GHSA-36fv-25j3-r2c5", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/" } ], "url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5" }, { "reference_url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8", "reference_id": "v3.3.8", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/" } ], "url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8" }, { "reference_url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0", "reference_id": "v4.22.0", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/" } ], "url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195617?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3" } ], "aliases": [ "CVE-2026-21876" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9gcu-vd8q-buan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93325?format=api", "vulnerability_id": "VCID-dzcy-8rqk-6fd8", "summary": "coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka \"Content-Type confusion\" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38199", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12289", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12253", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12172", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12184", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38199" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38199", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38199" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041109", "reference_id": "1041109", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041109" }, { "reference_url": "https://github.com/coreruleset/coreruleset/issues/3191", "reference_id": "3191", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-30T18:55:13Z/" } ], "url": "https://github.com/coreruleset/coreruleset/issues/3191" }, { "reference_url": "https://github.com/coreruleset/coreruleset/pull/3237", "reference_id": "3237", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-30T18:55:13Z/" } ], "url": "https://github.com/coreruleset/coreruleset/pull/3237" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195617?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3" } ], "aliases": [ "CVE-2023-38199" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dzcy-8rqk-6fd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93317?format=api", "vulnerability_id": "VCID-fd1y-9r47-t3ec", "summary": "The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39956.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39956.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39956", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00119", "scoring_system": "epss", "scoring_elements": "0.30361", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00119", "scoring_system": "epss", "scoring_elements": "0.3036", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00119", "scoring_system": "epss", "scoring_elements": "0.30435", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00119", "scoring_system": "epss", "scoring_elements": "0.30402", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00119", "scoring_system": "epss", "scoring_elements": "0.30375", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00119", "scoring_system": "epss", "scoring_elements": "0.30344", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39956" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137", "reference_id": "1021137", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131317", "reference_id": "2131317", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131317" }, { "reference_url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/", "reference_id": "crs-version-3-3-3-and-3-2-2-covering-several-cves", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/" } ], "url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/" }, { "reference_url": "https://security.gentoo.org/glsa/202305-25", "reference_id": "GLSA-202305-25", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/" } ], "url": "https://security.gentoo.org/glsa/202305-25" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/", "reference_id": "HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html", "reference_id": "msg00033.html", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/", "reference_id": "PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/", "reference_id": "YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195617?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3" } ], "aliases": [ "CVE-2022-39956" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fd1y-9r47-t3ec" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93315?format=api", "vulnerability_id": "VCID-h62t-9dbx-tkcv", "summary": "The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type \"charset\" names and therefore bypassing the configurable CRS Content-Type header \"charset\" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39955.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39955.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39955", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00779", "scoring_system": "epss", "scoring_elements": "0.74028", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00779", "scoring_system": "epss", "scoring_elements": "0.74062", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00779", "scoring_system": "epss", "scoring_elements": "0.74061", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00779", "scoring_system": "epss", "scoring_elements": "0.74066", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00779", "scoring_system": "epss", "scoring_elements": "0.74052", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00779", "scoring_system": "epss", "scoring_elements": "0.74035", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39955" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39955", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39955" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137", "reference_id": "1021137", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131315", "reference_id": "2131315", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131315" }, { "reference_url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/", "reference_id": "crs-version-3-3-3-and-3-2-2-covering-several-cves", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/" } ], "url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/" }, { "reference_url": "https://security.gentoo.org/glsa/202305-25", "reference_id": "GLSA-202305-25", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/" } ], "url": "https://security.gentoo.org/glsa/202305-25" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/", "reference_id": "HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html", "reference_id": "msg00033.html", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/", "reference_id": "PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/", "reference_id": "YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195617?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3" } ], "aliases": [ "CVE-2022-39955" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h62t-9dbx-tkcv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93301?format=api", "vulnerability_id": "VCID-q42g-qzkj-u7ak", "summary": "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-11387", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63464", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63507", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63515", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63505", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63494", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63513", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-11387" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11387", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11387" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928053", "reference_id": "928053", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928053" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195616?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1waf-9gu9-c3ah" }, { "vulnerability": "VCID-5nu2-g227-eufq" }, { "vulnerability": "VCID-8ynf-c717-wkd9" }, { "vulnerability": "VCID-9gcu-vd8q-buan" }, { "vulnerability": "VCID-dzcy-8rqk-6fd8" }, { "vulnerability": "VCID-fd1y-9r47-t3ec" }, { "vulnerability": "VCID-h62t-9dbx-tkcv" }, { "vulnerability": "VCID-pmxc-ce56-e7bz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1" } ], "aliases": [ "CVE-2019-11387" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q42g-qzkj-u7ak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93302?format=api", "vulnerability_id": "VCID-sqyp-mbuj-p3a4", "summary": "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-11388", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0051", "scoring_system": "epss", "scoring_elements": "0.66761", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0051", "scoring_system": "epss", "scoring_elements": "0.66744", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0051", "scoring_system": "epss", "scoring_elements": "0.66726", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0051", "scoring_system": "epss", "scoring_elements": "0.66766", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0051", "scoring_system": "epss", "scoring_elements": "0.66774", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0051", "scoring_system": "epss", "scoring_elements": "0.66759", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-11388" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11388", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11388" }, { "reference_url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354", "reference_id": "1354", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T13:17:02Z/" } ], "url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354" }, { "reference_url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372", "reference_id": "1372", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T13:17:02Z/" } ], "url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928053", "reference_id": "928053", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928053" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195616?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1waf-9gu9-c3ah" }, { "vulnerability": "VCID-5nu2-g227-eufq" }, { "vulnerability": "VCID-8ynf-c717-wkd9" }, { "vulnerability": "VCID-9gcu-vd8q-buan" }, { "vulnerability": "VCID-dzcy-8rqk-6fd8" }, { "vulnerability": "VCID-fd1y-9r47-t3ec" }, { "vulnerability": "VCID-h62t-9dbx-tkcv" }, { "vulnerability": "VCID-pmxc-ce56-e7bz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1" } ], "aliases": [ "CVE-2019-11388" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sqyp-mbuj-p3a4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93311?format=api", "vulnerability_id": "VCID-yp6h-2wq3-6yh3", "summary": "OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-35368", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00306", "scoring_system": "epss", "scoring_elements": "0.54152", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00306", "scoring_system": "epss", "scoring_elements": "0.54142", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00306", "scoring_system": "epss", "scoring_elements": "0.54119", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00306", "scoring_system": "epss", "scoring_elements": "0.54141", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00406", "scoring_system": "epss", "scoring_elements": "0.61387", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00406", "scoring_system": "epss", "scoring_elements": "0.61434", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-35368" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35368", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35368" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000", "reference_id": "992000", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000" }, { "reference_url": "https://security.gentoo.org/glsa/202305-25", "reference_id": "GLSA-202305-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202305-25" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195616?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1waf-9gu9-c3ah" }, { "vulnerability": "VCID-5nu2-g227-eufq" }, { "vulnerability": "VCID-8ynf-c717-wkd9" }, { "vulnerability": "VCID-9gcu-vd8q-buan" }, { "vulnerability": "VCID-dzcy-8rqk-6fd8" }, { "vulnerability": "VCID-fd1y-9r47-t3ec" }, { "vulnerability": "VCID-h62t-9dbx-tkcv" }, { "vulnerability": "VCID-pmxc-ce56-e7bz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1" } ], "aliases": [ "CVE-2021-35368" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yp6h-2wq3-6yh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93307?format=api", "vulnerability_id": "VCID-zbbk-ktfm-b7bb", "summary": "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-13464", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.46887", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.46953", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.46956", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.46937", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.46908", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.46918", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-13464" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13464", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13464" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773", "reference_id": "943773", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195616?format=api", "purl": "pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1waf-9gu9-c3ah" }, { "vulnerability": "VCID-5nu2-g227-eufq" }, { "vulnerability": "VCID-8ynf-c717-wkd9" }, { "vulnerability": "VCID-9gcu-vd8q-buan" }, { "vulnerability": "VCID-dzcy-8rqk-6fd8" }, { "vulnerability": "VCID-fd1y-9r47-t3ec" }, { "vulnerability": "VCID-h62t-9dbx-tkcv" }, { "vulnerability": "VCID-pmxc-ce56-e7bz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1" } ], "aliases": [ "CVE-2019-13464" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zbbk-ktfm-b7bb" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.1.0-1%252Bdeb10u2" }