Home > Vulnerability Database > CVE-2022-39956

Mend.io Vulnerability Database

CVE-2022-39956

Date: September 19, 2022

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

Severity Score

7.3

Related Resources (13)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39956

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/

Url: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

Url: https://access.redhat.com/security/cve/CVE-2022-39956

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/

Url: https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/

Url: https://security-tracker.debian.org/tracker/CVE-2022-39956

Url: https://security.gentoo.org/glsa/202305-25

Url: https://www.mend.io/vulnerability-database/CVE-2022-39956

Severity Score

7.3

Weakness Type (CWE)

Improper Encoding or Escaping of Output

CWE-116

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39956

Date: September 19, 2022

Severity Score

Related Resources (13)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?