CVE-2023-24021

Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILESTMPCONTENT collection.

Database specific

{
    "cna_assigner": "mitre",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/24xxx/CVE-2023-24021.json"
}

References

Affected packages

Git / github.com/owasp-modsecurity/ModSecurity

Affected ranges

Type

GIT

Repo

https://github.com/owasp-modsecurity/ModSecurity

Events

Introduced

Fixed

053965529cb6993fbeb931e6760097e66936fd81

Database specific

{
    "cpe": "cpe:2.3:a:trustwave:modsecurity:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.9.7"
        }
    ]
}

Affected versions

v2.*

v2.7.4

v2.9.0

v2.9.0-rc1

v2.9.0-rc2

v2.9.1

v2.9.1-rc1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-24021.json"

Git / github.com/owasp-modsecurity/modsecurity

Affected ranges

Type

GIT

Repo

https://github.com/owasp-modsecurity/modsecurity

Events

Introduced

Fixed

053965529cb6993fbeb931e6760097e66936fd81

Database specific

{
    "source": "REFERENCES"
}

Affected versions

v2.*

v2.7.4

v2.9.0

v2.9.0-rc1

v2.9.0-rc2

v2.9.1

v2.9.1-rc1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-24021.json"