Описание
Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.
A flaw was found in the ibmodsecurity3 component of the ModSecurity project. Due to an error in handling encoding, ModSecurity cannot decode HTML entities if they contain leading zeroes. This issue may allow malicious payloads to pass through security filters in configurations relying on ModSecurity for web traffic processing.
Отчет
This vulnerability exists in one specific version of libmodsecurity3 (v3.0.13). Red Hat does not ship an affected version in any products.
Меры по смягчению последствий
No mitigation is available for this issue other than updating the affected package to the version containing the fix.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | mod_security_crs | Not affected | ||
| Red Hat Enterprise Linux 8 | mod_security | Not affected | ||
| Red Hat Enterprise Linux 8 | mod_security_crs | Not affected | ||
| Red Hat Enterprise Linux 9 | mod_security | Not affected | ||
| Red Hat Enterprise Linux 9 | mod_security_crs | Not affected | ||
| Red Hat JBoss Core Services | jbcs-httpd24-mod_security | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.
Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.
Libmodsecurity is one component of the ModSecurity v3 project. The lib ...
Уязвимость библиотеки Libmodsecurity3 межсетевого экрана для защиты веб-приложений ModSecurity, позволяющая нарушителю обойти существующие ограничения безопасности
EPSS
8.6 High
CVSS3