Search for packages
| purl | pkg:deb/debian/modsecurity@3.0.4-2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-93qw-yjha-tyce
Aliases: CVE-2024-1019 |
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-azf2-ue64-y7eb
Aliases: CVE-2023-38285 |
mod_security: DoS Vulnerability in Four Transformations |
Affected by 1 other vulnerability. |
|
VCID-kg7a-8fqh-mffc
Aliases: CVE-2021-42717 |
security update |
Affected by 1 other vulnerability. |
|
VCID-y8ty-2cp5-y3gm
Aliases: CVE-2022-48279 |
mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-cq83-mkc9-g3e2 | Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc. |
CVE-2019-19886
|
| VCID-gr7r-94ky-x3ck | security update |
CVE-2020-15598
|
| VCID-m634-5nyb-skeu | ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header. |
CVE-2019-25043
|