SpiderLabs/owasp-modsecurity-crs

SpiderLabs/owasp-modsecurity-crs

modsecurity.org

Releases21

Frequency4 months 6 days

Last Release over 6 years ago

Stars2.48K

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2020-22669 ↗	Sep 2, 2022Friday, 2 September 2022, 18:15	9.8 CRITICAL	—
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
CVE-2019-13464 ↗	Jul 9, 2019Tuesday, 9 July 2019, 19:15	—	5 MEDIUM
An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.
CVE-2019-11387 ↗	Apr 21, 2019Sunday, 21 April 2019, 02:29	5.3 MEDIUM	4.3 MEDIUM
An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators.
CVE-2019-11388 ↗	Apr 21, 2019Sunday, 21 April 2019, 02:29	5.3 MEDIUM	5 MEDIUM
An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity
CVE-2019-11389 ↗	Apr 21, 2019Sunday, 21 April 2019, 02:29	5.3 MEDIUM	5 MEDIUM
An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with next# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity
CVE-2019-11390 ↗	Apr 21, 2019Sunday, 21 April 2019, 02:29	5.3 MEDIUM	5 MEDIUM
An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with set_error_handler# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity
CVE-2019-11391 ↗	Apr 21, 2019Sunday, 21 April 2019, 02:29	5.3 MEDIUM	5 MEDIUM
An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity
CVE-2018-16384 ↗	Sep 3, 2018Monday, 3 September 2018, 02:29	7.5 HIGH	5 MEDIUM
A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed.