CVE-2023-38285

Name	CVE-2023-38285
Description	Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1042475

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
modsecurity (PTS)	buster, buster (security)	3.0.3-1+deb10u2	vulnerable
	bullseye	3.0.4-2	vulnerable
	bookworm	3.0.9-1+deb12u1	fixed
	trixie	3.0.12-1	fixed
	sid	3.0.12-1.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
modsecurity	source	bookworm	3.0.9-1+deb12u1
modsecurity	source	(unstable)	3.0.10-1			1042475

Notes

[bullseye] - modsecurity <no-dsa> (Minor issue)
[buster] - modsecurity <no-dsa> (Minor issue)
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/