Bug 1203104 (CVE-2020-22669)

Summary: VUL-0: CVE-2020-22669: owasp-modsecurity-crs: SQL injection bypass
Product: [openSUSE] openSUSE Distribution Reporter: Thomas Leroy <thomas.leroy>
Component: SecurityAssignee: Thomas Worm <Thomas.Worm>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/341471/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-09-05 08:03:27 UTC
CVE-2020-22669

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL
injection bypass vulnerability. Attackers can use the comment characters and
variable assignments in the SQL syntax to bypass Modsecurity WAF protection and
implement SQL injection attacks on Web applications.

Upstream PR:
https://github.com/coreruleset/coreruleset/pull/1793

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22669
https://www.cve.org/CVERecord?id=CVE-2020-22669
https://github.com/coreruleset/coreruleset/pull/1793
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727
http://www.cvedetails.com/cve/CVE-2020-22669/
Comment 1 Thomas Leroy 2022-09-05 08:06:38 UTC
Affected:
- openSUSE:Factory
- openSUSE:Backports:SLE-15-SP3
- openSUSE:Backports:SLE-15-SP4