coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not block multiple Content-Type headers, which might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion." This occurs when the web application relies on only the last Content-Type header.
References
| Link | Resource |
|---|---|
| https://github.com/coreruleset/coreruleset/issues/3191 | Issue Tracking Patch |
| https://github.com/coreruleset/coreruleset/pull/3237 | Issue Tracking |
| https://github.com/coreruleset/coreruleset/issues/3191 | Issue Tracking Patch |
| https://github.com/coreruleset/coreruleset/pull/3237 | Issue Tracking |
Configurations
History
21 Nov 2024, 08:13
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/coreruleset/coreruleset/issues/3191 - Issue Tracking, Patch | |
| References | () https://github.com/coreruleset/coreruleset/pull/3237 - Issue Tracking |
25 Jul 2023, 14:44
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:owasp:coreruleset:*:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| References | (MISC) https://github.com/coreruleset/coreruleset/pull/3237 - Issue Tracking | |
| References | (MISC) https://github.com/coreruleset/coreruleset/issues/3191 - Issue Tracking, Patch | |
| CWE | CWE-843 |
13 Jul 2023, 03:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-07-13 03:15
Updated : 2024-11-21 08:13
NVD link : CVE-2023-38199
Mitre link : CVE-2023-38199
CVE.ORG link : CVE-2023-38199
JSON object : View
Products Affected
owasp
- coreruleset
CWE
CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')