CVE-2019-19886

NameCVE-2019-19886
DescriptionTrustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs949682

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity (PTS)buster, buster (security)3.0.3-1+deb10u2fixed
bullseye3.0.4-2fixed
bookworm3.0.9-1+deb12u1fixed
trixie3.0.12-1fixed
sid3.0.12-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecuritysourcebuster3.0.3-1+deb10u1
modsecuritysource(unstable)3.0.4-1949682

Notes

https://github.com/SpiderLabs/ModSecurity/pull/2202
https://github.com/SpiderLabs/ModSecurity/commit/7ba77631f9a37e0680d23ee57c455c6a35c65cb9
Search for package or bug name: Reporting problems