CVE-2021-35368

NameCVE-2021-35368
DescriptionCRS Request Body Bypass
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs992000

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity-crs (PTS)stretch3.0.0-3vulnerable
buster3.1.0-1+deb10u1vulnerable
bullseye3.3.0-1vulnerable
bookworm, sid3.3.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecurity-crssource(unstable)3.3.2-1992000

Notes

[bullseye] - modsecurity-crs <no-dsa> (Minor issue)
[buster] - modsecurity-crs <no-dsa> (Minor issue)
[stretch] - modsecurity-crs <no-dsa> (Minor issue)
https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
https://github.com/coreruleset/coreruleset/pull/2143
https://github.com/coreruleset/coreruleset/commit/132c19c8f21c8cd4d3cd484d4f34ef786ee39b05 (v3.4-dev)
Introduced by https://github.com/coreruleset/coreruleset/commit/b3995e5d332be9f2445ee91b6e1366440bdbe109 (v3.0.0-rc2)

Search for package or bug name: Reporting problems