Bug 1207443 - (CVE-2022-39957) VUL-0: CVE-2022-39957: mod_security_crs: Charset accept header field resulting in response rule set bypass
(CVE-2022-39957)
VUL-0: CVE-2022-39957: mod_security_crs: Charset accept header field resultin...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other openSUSE Leap 15.4
: P3 - Medium : Major (vote)
: Leap 15.4
Assigned To: Thomas Worm
E-mail List
https://smash.suse.de/issue/343035/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-01-24 08:09 UTC by Stoyan Manolov
Modified: 2023-01-24 08:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stoyan Manolov 2023-01-24 08:09:20 UTC
rh#2131319

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Reference:
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2131319
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39957
https://www.cve.org/CVERecord?id=CVE-2022-39957
http://www.cvedetails.com/cve/CVE-2022-39957/
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/