CVE-2022-39958

HIGH

OWASP ModSecurity Core Rule Set 3.0.0-3.2.1 and 3.3.2 - Response Body Exfiltration via HTTP Range Header Bypass

Title source: llm
STIX 2.1

Description

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.

References (7)

Core 7
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-25

Scores

CVSS v3 7.5
EPSS 0.0093
EPSS Percentile 55.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-116 CWE-863
Status published
Products (5)
debian/debian_linux 10.0
fedoraproject/fedora 35
fedoraproject/fedora 36
fedoraproject/fedora 37
owasp/owasp_modsecurity_core_rule_set 3.0.0 - 3.2.2
Published Sep 20, 2022
Tracked Since Feb 18, 2026