CVE-2024-1019— ModSecurity 安全漏洞

WAF bypass of the ModSecurity v3 release line

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

输入验证不恰当

ModSecurity 安全漏洞

ModSecurity是一个入侵检测、阻止的引擎可以作为Apache Web服务器的一个模块或单独的应用程序来运行，为增强Web应用程序的安全性和保护Web应用程序避免遭受来自已知与未知的攻击。 ModSecurity libModSecurity 3.0.0版本至3.0.11版本存在安全漏洞，该漏洞源于对请求 URL 中存在的百分比编码字符进行解码，这会导致与符合 RFC 的后端应用程序不匹配。

N/A

N/A