CVE-2022-39956

HIGH

OWASP ModSecurity Core Rule Set 3.0.0-3.2.1 & 3.3.2 - Bypass via Character Encoding in MIME Headers

Title source: llm
STIX 2.1

Description

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

References (7)

Core 7
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-25

Scores

CVSS v3 7.3
EPSS 0.0093
EPSS Percentile 55.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-116 CWE-863
Status published
Products (5)
debian/debian_linux 10.0
fedoraproject/fedora 35
fedoraproject/fedora 36
fedoraproject/fedora 37
owasp/owasp_modsecurity_core_rule_set 3.0.0 - 3.2.2
Published Sep 20, 2022
Tracked Since Feb 18, 2026