关键漏洞信息 CRS Version 3.3.3 and 3.2.2 CVEs Covered: CVE-2022-39955, CVE-2022-39956, CVE-2022-39957, CVE-2022-39958 Vulnerabilities: - Multiple charsets defined in Content-Type header - Content-Type or Content-Transfer-Encoding MIME header fields abuse - Charset accept header field resulting in response rule set bypass - Small range header leading to response rule set bypass Official CVE Advisories for CRS CVE-2022-39955 - Multiple Charsets Defined in Content-Type Header Description: Bypass in CRS by submitting a crafted Content-Type header Affected Versions: 3.0.x, 3.1.x, 3.2.1, 3.3.2 CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME Header Fields Abuse Description: Bypass in CRS using multipart MIME header fields Affected Versions: 3.0.x, 3.1.x, 3.2.1, 3.3.2 CVE-2022-39957 - Charset Accept Header Field Resulting in Response Rule Set Bypass Description: Response body bypass via "charset" parameter in "accept" header Affected Versions: 3.0.x, 3.1.x, 3.2.1, 3.3.2 CVE-2022-39958 - Small Range Header Leading to Response Rule Set Bypass Description: Sequential exfiltration of data via small byte range Affected Versions: 3.0.x, 3.1.x, 3.2.1, 3.3.2 ModSecurity Engine Vulnerabilities Use Wrong Body Parser: Fix for ModSecurity recommended rules using advanced MIME header fields