CVE-2020-22669

CRITICAL

Modsecurity owasp-modsecurity-crs 3.2.0 - SQL Injection

Title source: llm
STIX 2.1

Description

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.

References (4)

Core 4
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
Exploit, Issue Tracking, Third Party Advisory
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727
Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/coreruleset/coreruleset/pull/1793

Scores

CVSS v3 9.8
EPSS 0.0103
EPSS Percentile 59.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (2)
debian/debian_linux 10.0
owasp/owasp_modsecurity_core_rule_set 3.2.0
Published Sep 02, 2022
Tracked Since Feb 18, 2026