1213275 – (CVE-2023-38199) VUL-0: CVE-2023-38199: owasp-modsecurity-crs: not block multiple Content-Type headers, which might allow attackers to bypass a WAF with a crafted payload

Bug 1213275 (CVE-2023-38199) - VUL-0: CVE-2023-38199: owasp-modsecurity-crs: not block multiple Content-Type headers, which might allow attackers to bypass a WAF with a crafted payload

Summary: VUL-0: CVE-2023-38199: owasp-modsecurity-crs: not block multiple Content-Type...

Status:	NEW

Alias:	CVE-2023-38199

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Forgotten User mJouVTf9j4
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/372361/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-13 07:06 UTC by Robert Frohl
Modified:	2023-08-25 15:35 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Update to 3.3.5 (755.30 KB, image/png) 2023-08-16 13:27 UTC, Alessandro de Oliveira Faria	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2023-07-13 07:06:41 UTC

CVE-2023-38199

coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not block
multiple Content-Type headers, which might allow attackers to bypass a WAF with
a crafted payload, aka "Content-Type confusion." This occurs when the web
application relies on only the last Content-Type header.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38199
https://www.cve.org/CVERecord?id=CVE-2023-38199
https://github.com/coreruleset/coreruleset/issues/3191
https://github.com/coreruleset/coreruleset/pull/3237

Comment 1 Robert Frohl 2023-07-13 07:11:41 UTC

affects Factory and Backports

Comment 2 Alessandro de Oliveira Faria 2023-08-16 13:27:02 UTC

Created attachment 868839 [details]
Update to 3.3.5

v3.3.5

This is the OWASP ModSecurity Core Rule Set version 3.3.5.

Important changes:

    Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría)

Fixes:

    Fix paranoia level-related scoring issue in rule 921422 (Walter Hop)
    Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus)

Chore:

    Clean up redundant paranoia level tags (Ervin Hegedus)
    Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría)
    Move testing framework from ftw to go-ftw (Felipe Zipitría)