{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-1019", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2024-01-29T10:28:35.711Z", "datePublished": "2024-01-30T16:09:42.428Z", "dateUpdated": "2024-01-30T16:09:42.428Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://modsecurity.digitalwave.hu", "defaultStatus": "unaffected", "product": "ModSecurity", "repo": "https://github.com/owasp-modsecurity/ModSecurity", "vendor": "OWASP ModSecurity", "versions": [{"lessThanOrEqual": "3.0.11", "status": "affected", "version": "3.0.0", "versionType": "patch"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "For this vulnerability to be exploitable, the application has to use path components of the URI to construct queries, such as SQL queries or shell script sequence. Both are considered risky behaviors.<br>"}], "value": "For this vulnerability to be exploitable, the application has to use path components of the URI to construct queries, such as SQL queries or shell script sequence. Both are considered risky behaviors.\n"}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Andrea Menin @AndreaTheMiddle <https://github.com/theMiddleBlue>"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Matteo Pace @M4tteoP <https://github.com/M4tteoP>"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Max Leske <https://github.com/theseion>"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Ervin Heged\u00fcs @airween <https://github.com/airween>"}], "datePublic": "2024-01-30T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.</span><br>"}], "value": "ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.\n"}], "impacts": [{"capecId": "CAPEC-152", "descriptions": [{"lang": "en", "value": "CAPEC-152"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2024-01-30T16:09:42.428Z"}, "references": [{"url": "https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34KDQNZE2RS3CWFG5654LNHKXXDPIW5I/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K6ZGABPJK2JPVH2JDFHZ5LQLWGONUH7V/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to ModSecurity 3.0.12.<br>"}], "value": "Upgrade to ModSecurity 3.0.12.\n"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2023-11-13T00:00:00.000Z", "value": "OWASP CRS submits report to Trustwave Spiderlabs, includes SQLi proof of concept"}, {"lang": "en", "time": "2023-11-14T00:00:00.000Z", "value": "Trustwave Spiderlabs acknowledges report, promises investigation"}, {"lang": "en", "time": "2023-11-28T00:00:00.000Z", "value": "OWASP CRS asks for update"}, {"lang": "en", "time": "2023-11-29T00:00:00.000Z", "value": "Trustwave Spiderlabs rejects report, describes it as anomaly without security impact"}, {"lang": "en", "time": "2023-12-01T00:00:00.000Z", "value": "OWASP CRS reiterates previously shared SQLi proof of concept"}, {"lang": "en", "time": "2023-12-01T00:00:00.000Z", "value": "Trustwave Spiderlabs acknowledges security impact"}, {"lang": "en", "time": "2023-12-04T00:00:00.000Z", "value": "OWASP CRS shares XSS proof of concept"}, {"lang": "en", "time": "2023-12-07T00:00:00.000Z", "value": "Trustwave Spiderlabs promises security release early in the new year"}, {"lang": "en", "time": "2024-01-02T00:00:00.000Z", "value": "OWASP CRS asks for update"}, {"lang": "en", "time": "2024-01-03T00:00:00.000Z", "value": "Trustwave Spiderlabs announces preview patch by Jan 12, release in the week of Jan 22"}, {"lang": "en", "time": "2024-01-12T00:00:00.000Z", "value": "Trustwave Spiderlabs shares preview patch with primary contact from OWASP CRS"}, {"lang": "en", "time": "2024-01-22T00:00:00.000Z", "value": "OWASP CRS confirms preview patch fixes vulnerability"}, {"lang": "en", "time": "2024-01-24T00:00:00.000Z", "value": "Trustwave Spiderlabs announces transfer of ModSecurity project to OWASP for 2023-01-25"}, {"lang": "en", "time": "2024-01-25T00:00:00.000Z", "value": "Trustwave Spiderlabs transfers ModSecurity repository to OWASP"}, {"lang": "en", "time": "2024-01-25T00:00:00.000Z", "value": "OWASP creates OWASP ModSecurity, assigns OWASP ModSecurity production level, primary contact from OWASP CRS becomes OWASP ModSecurity co-lead"}, {"lang": "en", "time": "2024-01-26T00:00:00.000Z", "value": "OWASP ModSecurity leaders decide to release on 2023-01-30"}, {"lang": "en", "time": "2024-01-27T00:00:00.000Z", "value": "OWASP ModSecurity creates GPG to sign upcoming release, shares via public key servers"}, {"lang": "en", "time": "2024-01-29T00:00:00.000Z", "value": "NCSC-CH assigns CVE 2024-1019, advisory text and release notes are being prepared, planned release procedure is discussed with Trustwave Spiderlabs"}, {"lang": "en", "time": "2024-01-30T00:00:00.000Z", "value": "OWASP ModSecurity Release 3.0.12"}], "title": "WAF bypass of the ModSecurity v3 release line", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\"><span style=\"background-color: transparent;\">ModSecurity v3\u2019s REQUEST_URI_RAW variable contains the full URI and is unaffected by the URL decoding step. </span>It is therefore possible to use the REQUEST_URI_RAW variable to derive all other required variables correctly, including performing any required URL decoding.</span><br>"}], "value": "ModSecurity v3\u2019s REQUEST_URI_RAW variable contains the full URI and is unaffected by the URL decoding step. It is therefore possible to use the REQUEST_URI_RAW variable to derive all other required variables correctly, including performing any required URL decoding.\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trustwave:modsecurity:*:*:*:*:*:*:*:*", "matchCriteriaId": "52EBFAFE-523F-46B7-9631-4FA866ABC2D0", "versionEndExcluding": "3.0.12", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.\n"}, {"lang": "es", "value": "ModSecurity/libModSecurity 3.0.0 a 3.0.11 se ve afectado por una omisi\u00f3n de WAF para payloads basados en rutas enviados a trav\u00e9s de URL de solicitud especialmente manipuladas. ModSecurity v3 decodifica los caracteres codificados en porcentaje presentes en las URL de solicitud antes de separar el componente de ruta URL del componente de cadena de consulta opcional. Esto da como resultado una discrepancia de impedancia en comparaci\u00f3n con las aplicaciones de back-end que cumplen con RFC. La vulnerabilidad oculta un payload de ataque en el componente de ruta de la URL de las reglas WAF que la inspeccionan. Un back-end puede ser vulnerable si utiliza el componente de ruta de las URL de solicitud para construir consultas. Se recomienda a los integradores y usuarios que actualicen a 3.0.12. La l\u00ednea de lanzamiento ModSecurity v2 no se ve afectada por esta vulnerabilidad."}], "id": "CVE-2024-1019", "lastModified": "2024-02-20T02:15:49.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2024-01-30T16:15:47.123", "references": [{"source": "vulnerability@ncsc.ch", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34KDQNZE2RS3CWFG5654LNHKXXDPIW5I/"}, {"source": "vulnerability@ncsc.ch", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K6ZGABPJK2JPVH2JDFHZ5LQLWGONUH7V/"}, {"source": "vulnerability@ncsc.ch", "tags": ["Patch", "Vendor Advisory"], "url": "https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}

{}