Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-52891

Опубликовано: 02 июл. 2025
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

Меры по смягчению последствий

Users unable to upgrade may set SecParseXmlIntoArgs to Off

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7mod_securityNot affected
Red Hat Enterprise Linux 8mod_securityNot affected
Red Hat Enterprise Linux 9mod_securityNot affected
Red Hat JBoss Core Servicesjbcs-httpd24-mod_securityNot affected
Red Hat JBoss Core Servicesmod_securityNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=2375926mod_security: ModSecurity segmentation fault

EPSS

Процентиль: 18%
0.00056
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-52891

CVSS3: 6.5
ubuntu
около 1 месяца назад

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

nvd логотип

CVE-2025-52891

CVSS3: 6.5
nvd
около 1 месяца назад

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

debian логотип

CVE-2025-52891

CVSS3: 6.5
debian
около 1 месяца назад

ModSecurity is an open source, cross platform web application firewall ...

EPSS

Процентиль: 18%
0.00056
Низкий

4.3 Medium

CVSS3