CVE-2022-39957 The OWASP ModSecurity CRS is affected by a response body bypass, which allows a client to issue an Accept header with an optional "charset" parameter.

The OWASP ModSecurity CRS is affected by a cross-site request forgery (CSRF) vulnerability. A malicious actor may pose as an innocent third party, to trick a user into performing an undesired action on behalf of another user. The CRS does not currently consider this type of attack to be a CSRF. Integrators and users are advised to upgrade to the currently supported 3.2.2 version. The CRS is affect by a session management bypass. A malicious actor may attempt to hijack the session of another user, to gain access to data or service that should be restricted to the victim. The CRS does not currently consider this type of attack to be a session management bypass. Integrators and users are advised to upgrade to the currently supported 3.2.2 version. The CRS is affected by a content injection vulnerability. A malicious actor may attempt to inject arbitrary content into a web application. The CRS does not currently consider this type of attack to be a content injection vulnerability. Integrators and users are advised to upgrade to the currently supported 3.2.2 version. The CRS is affected by a session fixation vulnerability. A malicious actor may attempt to hijack the session of another user, to gain access to data or service that should be restricted to the victim. The CRS does not currently consider this type of attack to be a session fixation vulnerability. Integrators and users are advised to upgrade to the currently supported 3.2.

Summary of affected modules:

ModSecurity Core Ruleset
The OWASP ModSecurity Core Ruleset is affected by a session management bypass.
The OWASP ModSecurity Core Ruleset is affected by a content injection vulnerability.
The OWASP ModSecurity Core Ruleset is affected by a cross-site request forgery (CSRF) vulnerability.

CSRF

& Session Fixation
These are Cross-Site Request Forgeries (CSRF) and Session Fixation vulnerabilities. These attacks allow a malicious actor to trick a user into performing an undesired action on behalf of another user.

Timeline

Published on: 09/20/2022 07:15:00 UTC
Last modified on: 09/21/2022 18:27:00 UTC

References

• https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39957