CVE-2022-39955

Partial rule set bypass in OWASP ModSecurity Core Rule Set by submitting a specially crafted HTTP Content-Type header

Description

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Remediation

Solution:

  • upgrade to 3.2.2 or 3.3.3

Category

7.3
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.13%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory gentoo.org Vendor Advisory coreruleset.org
Affected: OWASP ModSecurity Core Rule Set
Published at:
Updated at:

References

Link Tags
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ vendor advisory patch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/ vendor advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html mailing list third party advisory
https://security.gentoo.org/glsa/202305-25 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-39955?
CVE-2022-39955 has been scored as a high severity vulnerability.
How to fix CVE-2022-39955?
To fix CVE-2022-39955: upgrade to 3.2.2 or 3.3.3
Is CVE-2022-39955 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-39955 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-39955?
CVE-2022-39955 affects OWASP ModSecurity Core Rule Set.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.