CVE-2022-39955

HIGH

OWASP ModSecurity Core Rule Set 3.0.0-3.2.1 and 3.3.2 - Rule Bypass via Multiple Charset Content-Type Header

Title source: llm
STIX 2.1

Description

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

References (7)

Core 7
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-25

Scores

CVSS v3 7.3
EPSS 0.0078
EPSS Percentile 73.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (5)
debian/debian_linux 10.0
fedoraproject/fedora 35
fedoraproject/fedora 36
fedoraproject/fedora 37
owasp/owasp_modsecurity_core_rule_set 3.0.0 - 3.2.2
Published Sep 20, 2022
Tracked Since Feb 18, 2026