CVE-2020-22669

Name	CVE-2020-22669
Description	Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3293-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
modsecurity-crs (PTS)	buster	3.1.0-1+deb10u2	vulnerable
	buster (security)	3.2.3-0+deb10u3	fixed
	bullseye	3.3.0-1+deb11u1	vulnerable
	bookworm	3.3.4-1	fixed
	sid, trixie	3.3.5-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
modsecurity-crs	source	buster	3.2.3-0+deb10u3		DLA-3293-1
modsecurity-crs	source	(unstable)	3.3.2-1

Notes

[bullseye] - modsecurity-crs <no-dsa> (Minor issue)
https://github.com/coreruleset/coreruleset/pull/1793
https://github.com/coreruleset/coreruleset/commit/1a6e9e097587cecc038f1a1a76fc067c7797bbcd (v3.3.1-rc1)
https://github.com/coreruleset/coreruleset/commit/909cab560b56f998faee88dd8a7aa9cf086d2d9f (v3.3.1-rc1)