CVE-2022-39956

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/	Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
https://security.gentoo.org/glsa/202305-25
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/	Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
https://security.gentoo.org/glsa/202305-25

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set::::::::
	cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

21 Nov 2024, 07:18

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 7.3
References	~~() https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ - Patch, Vendor Advisory~~	() https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ - Patch, Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html - Mailing List, Third Party Advisory~~	() https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html - Mailing List, Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ -
References	~~() https://security.gentoo.org/glsa/202305-25 -~~	() https://security.gentoo.org/glsa/202305-25 -

Information

Published : 2022-09-20 07:15

Updated : 2024-11-21 07:18

NVD link : CVE-2022-39956

Mitre link : CVE-2022-39956

CVE.ORG link : CVE-2022-39956

JSON object : View

Products Affected

debian

debian_linux

owasp

owasp_modsecurity_core_rule_set

fedoraproject

fedora

CWE

CWE-863

Incorrect Authorization

CWE-116

Improper Encoding or Escaping of Output

{"id": "CVE-2022-39956", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "vulnerability@ncsc.ch", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-09-20T07:15:12.293", "references": [{"url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/", "tags": ["Patch", "Vendor Advisory"], "source": "vulnerability@ncsc.ch"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "vulnerability@ncsc.ch"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/", "source": "vulnerability@ncsc.ch"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/", "source": "vulnerability@ncsc.ch"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/", "source": "vulnerability@ncsc.ch"}, {"url": "https://security.gentoo.org/glsa/202305-25", "source": "vulnerability@ncsc.ch"}, {"url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202305-25", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "vulnerability@ncsc.ch", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8)."}, {"lang": "es", "value": "OWASP ModSecurity Core Rule Set (CRS) est\u00e1 afectado por una omisi\u00f3n parcial del conjunto de reglas para peticiones HTTP multiparte al enviar una carga \u00fatil que usa un esquema de codificaci\u00f3n de caracteres por medio del Content-Type o los campos de cabecera MIME multiparte obsoletos que no ser\u00e1n decodificados e inspeccionados por el motor del firewall de aplicaciones web y el conjunto de reglas. Por lo tanto, la carga \u00fatil multiparte omitir\u00e1 la detecci\u00f3n. Un backend vulnerable que soporte estos esquemas de codificaci\u00f3n puede ser potencialmente explotado. Las versiones heredadas de CRS 3.0.x y 3.1.x est\u00e1n afectadas, as\u00ed como las versiones 3.2.1 y 3.3.2 actualmente soportadas. Es recomendado a integradores y usuarios actualizar a las versiones 3.2.2 y 3.3.3 respectivamente. La mitigaci\u00f3n contra estas vulnerabilidades depende de la instalaci\u00f3n de la \u00faltima versi\u00f3n de ModSecurity (versiones v2.9.6 / v3.0.8)"}], "lastModified": "2024-11-21T07:18:33.660", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9D7A320-7FDD-43B5-92AD-E8EFD58D278E", "versionEndExcluding": "3.2.2", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D378AD7-0734-4F54-B4FB-975DDF1C80A4", "versionEndExcluding": "3.3.3", "versionStartIncluding": "3.3.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerability@ncsc.ch"}

7.3 /10