OESA-2022-1964

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1964
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2022-1964.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2022-1964
Upstream
Published
2022-09-27T11:04:22Z
Modified
2025-08-12T05:14:52.709619Z
Summary
mod_security_crs security update
Details

The base rules are provided for mod_security by this package.

Security Fix(es):

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.(CVE-2022-39955)

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).(CVE-2022-39956)

Database specific 
{
    "severity": "Critical"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / mod_security_crs

Package

Name
mod_security_crs
Purl
pkg:rpm/openEuler/mod_security_crs&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2-1.oe1

Ecosystem specific 

{
    "noarch": [
        "mod_security_crs-3.2.2-1.oe1.noarch.rpm"
    ],
    "src": [
        "mod_security_crs-3.2.2-1.oe1.src.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / mod_security_crs

Package

Name
mod_security_crs
Purl
pkg:rpm/openEuler/mod_security_crs&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2-1.oe1

Ecosystem specific 

{
    "noarch": [
        "mod_security_crs-3.2.2-1.oe1.noarch.rpm"
    ],
    "src": [
        "mod_security_crs-3.2.2-1.oe1.src.rpm"
    ]
}

openEuler:22.03-LTS / mod_security_crs

Package

Name
mod_security_crs
Purl
pkg:rpm/openEuler/mod_security_crs&distro=openEuler-22.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2-1.oe2203

Ecosystem specific 

{
    "noarch": [
        "mod_security_crs-3.2.2-1.oe2203.noarch.rpm"
    ],
    "src": [
        "mod_security_crs-3.2.2-1.oe2203.src.rpm"
    ]
}