Description
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/SpiderLabs/ModSecurity/commit/f8d441cd25172fdfe5b613442fedfc0da3cc333d
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-2991
Exploit, Third Party Advisory x_refsource_misc
http://martin.swende.se/blog/HTTPChunked.html
Scores
EPSS
0.0084
EPSS Percentile
74.8%
Details
Status
published
Products (3)
debian/debian_linux
7.0
debian/debian_linux
8.0
trustwave/modsecurity
< 2.7.6
Published
Apr 15, 2014
Tracked Since
Feb 18, 2026