CVE-2021-35368

moderate-risk
Published 2021-11-05

OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.

Do I need to act?

-
0.41% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: d3b116fce6c0dc8c8f6e4fbb4e3304af312b4812, 3b12a9c2cf6f09559885b56f3acc0d7737f1eea5, 18703f1bc47e9c4ec4096853d5fb4e2a204a07a2
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Owasp Modsecurity Core Rule Set

Affected Vendors

Debian Fedoraproject Owasp

References (16)

Exploit https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
Mailing List https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Vendor Advisory https://owasp.org/www-project-modsecurity-core-rule-set/
Exploit https://portswigger.net/daily-swig/lessons-learned-how-a-severe-vulnerability-in...
Exploit https://portswigger.net/daily-swig/waf-bypass-severe-owasp-modsecurity-core-rule...
https://security.gentoo.org/glsa/202305-25
Exploit https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
Mailing List https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Vendor Advisory https://owasp.org/www-project-modsecurity-core-rule-set/
Exploit https://portswigger.net/daily-swig/lessons-learned-how-a-severe-vulnerability-in...
Exploit https://portswigger.net/daily-swig/waf-bypass-severe-owasp-modsecurity-core-rule...
https://security.gentoo.org/glsa/202305-25
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 10/34 · Low