Skip to main content

Improper Encoding or Escaping of Output

CVE-2022-39956

Severity High
Score 9.8/10

Summary

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the "Content-Type" or the "deprecated Content-Transfer-Encoding" multipart "MIME header" fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. This vulnerability affects CRS versions 3.0.0-rc1 through 3.2.1, and 3.3.0-rc1 through 3.3.2. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-116 - Improper Encoding or Escaping of Output

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Advisory Timeline

  • Published