CVE-2020-22669
CRITICALModsecurity owasp-modsecurity-crs 3.2.0 - SQL Injection
Title source: llmDescription
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
References (4)
Core 4
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
Exploit, Issue Tracking, Third Party Advisory
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727
Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/coreruleset/coreruleset/pull/1793
Scores
CVSS v3
9.8
EPSS
0.0103
EPSS Percentile
59.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
debian/debian_linux
10.0
owasp/owasp_modsecurity_core_rule_set
3.2.0
Published
Sep 02, 2022
Tracked Since
Feb 18, 2026