Home > Vulnerability Database > CVE-2022-39955

Mend.io Vulnerability Database

CVE-2022-39955

Date: September 19, 2022

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Severity Score

7.3

Related Resources (13)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39955

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/

Url: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

Url: https://access.redhat.com/security/cve/CVE-2022-39955

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/

Url: https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html

Url: https://security-tracker.debian.org/tracker/CVE-2022-39955

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/

Url: https://security.gentoo.org/glsa/202305-25

Url: https://www.mend.io/vulnerability-database/CVE-2022-39955

Severity Score

7.3

Weakness Type (CWE)

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39955

Date: September 19, 2022

Severity Score

Related Resources (13)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?