Описание
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.
An XML parsing flaw has been discovered in Apache ModSecurity. In specific versions an empty XML tag may lead to a segmentation fault and process crash as a result. To exploit this flaw the SecParseXmlIntoArgs value must be set to On or OnlyArgs.
Меры по смягчению последствий
Users unable to upgrade may set SecParseXmlIntoArgs to Off
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | mod_security | Not affected | ||
| Red Hat Enterprise Linux 8 | mod_security | Not affected | ||
| Red Hat Enterprise Linux 9 | mod_security | Not affected | ||
| Red Hat JBoss Core Services | jbcs-httpd24-mod_security | Not affected | ||
| Red Hat JBoss Core Services | mod_security | Not affected |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS3
Связанные уязвимости
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.
ModSecurity is an open source, cross platform web application firewall ...
Уязвимость межсетевого экрана для защиты веб-приложений ModSecurity, связанная с недостаточной проверкой входных данных, позволяющая нарушителю обойти правила WAF
4.3 Medium
CVSS3