CVE-2020-22669

NameCVE-2020-22669
DescriptionModsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity-crs (PTS)buster3.1.0-1+deb10u2vulnerable
bullseye3.3.0-1+deb11u1vulnerable
bookworm, sid3.3.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecurity-crssource(unstable)3.3.2-1

Notes

[bullseye] - modsecurity-crs <no-dsa> (Minor issue)
https://github.com/coreruleset/coreruleset/pull/1793
https://github.com/coreruleset/coreruleset/commit/1a6e9e097587cecc038f1a1a76fc067c7797bbcd (v3.3.1-rc1)
https://github.com/coreruleset/coreruleset/commit/909cab560b56f998faee88dd8a7aa9cf086d2d9f (v3.3.1-rc1)

Search for package or bug name: Reporting problems