Bug 1203104 – VUL-0: CVE-2020-22669: owasp-modsecurity-crs: SQL injection bypass

Bug 1203104 - (CVE-2020-22669) VUL-0: CVE-2020-22669: owasp-modsecurity-crs: SQL injection bypass

(CVE-2020-22669)
Summary:	VUL-0: CVE-2020-22669: owasp-modsecurity-crs: SQL injection bypass

Status:	NEW

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Thomas Worm
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/341471/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-09-05 08:03 UTC by Thomas Leroy
Modified:	2022-09-05 08:15 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-09-05 08:03:27 UTC

CVE-2020-22669

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL
injection bypass vulnerability. Attackers can use the comment characters and
variable assignments in the SQL syntax to bypass Modsecurity WAF protection and
implement SQL injection attacks on Web applications.

Upstream PR:
https://github.com/coreruleset/coreruleset/pull/1793

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22669
https://www.cve.org/CVERecord?id=CVE-2020-22669
https://github.com/coreruleset/coreruleset/pull/1793
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727
http://www.cvedetails.com/cve/CVE-2020-22669/

Comment 1 Thomas Leroy 2022-09-05 08:06:38 UTC

Affected:
- openSUSE:Factory
- openSUSE:Backports:SLE-15-SP3
- openSUSE:Backports:SLE-15-SP4