Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OWASP CRS has multipart bypass using multiple content-type parts
Vulnerability Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Vulnerability Type
对特殊元素的多个实例的过滤不完全
Vulnerability Title
OWASP CRS 安全漏洞
Vulnerability Description
OWASP CRS是CRS Project开源的一套攻击检测规则集。 OWASP CRS 4.22.0之前版本和3.3.8之前版本存在安全漏洞,该漏洞源于处理多部分请求时规则922110存在缺陷,可能导致恶意字符集被忽略。
CVSS Information
N/A
Vulnerability Type
N/A