CVE-2022-39957

NameCVE-2022-39957
DescriptionThe OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3293-1, DLA-4265-1
Debian Bugs1021137

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity-crs (PTS)bullseye3.3.0-1+deb11u1vulnerable
bullseye (security)3.3.4-1~deb11u1fixed
bookworm3.3.4-1fixed
forky, sid, trixie3.3.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecurity-crssourcebuster3.2.3-0+deb10u3DLA-3293-1
modsecurity-crssourcebullseye3.3.4-1~deb11u1DLA-4265-1
modsecurity-crssource(unstable)3.3.4-11021137

Notes

https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
Search for package or bug name: Reporting problems