Source: modsecurity-crs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for modsecurity-crs. CVE-2023-38199[0]: | coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does | not block multiple Content-Type headers, which might allow attackers | to bypass a WAF with a crafted payload, aka "Content-Type | confusion." This occurs when the web application relies on only the | last Content-Type header. https://github.com/coreruleset/coreruleset/issues/3191 https://github.com/coreruleset/coreruleset/pull/3237 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-38199 https://www.cve.org/CVERecord?id=CVE-2023-38199 Please adjust the affected versions in the BTS as needed.