Описание
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The sanitiseArg (and sanitizeArg - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the sanitiseArg (or sanitizeArg) action.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | needs-triage | |
| esm-apps/bionic | released | 2.9.2-1ubuntu0.1~esm2 |
| esm-apps/focal | released | 2.9.3-1ubuntu0.1+esm1 |
| esm-apps/jammy | released | 2.9.5-1ubuntu0.1~esm2 |
| esm-apps/noble | released | 2.9.7-1ubuntu0.24.04.1~esm1 |
| esm-apps/xenial | released | 2.9.0-1ubuntu0.1~esm2 |
| esm-infra-legacy/trusty | released | 2.7.7-2ubuntu0.1~esm2 |
| focal | ignored | end of standard support, was needs-triage |
| jammy | needed | |
| noble | needed |
Показывать по
Ссылки на источники
7.5 High
CVSS3
Связанные уязвимости
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
ModSecurity is an open source, cross platform web application firewall ...
Уязвимость конфигурации sanitiseArg и sanitizeArg межсетевого экрана для защиты веб-приложений ModSecurity, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3