Published: 13/07/2023 Updated: 05/09/2023

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

coreruleset (aka OWASP ModSecurity Core Rule Set) up to and including 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow malicious users to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.

Vulnerable Product	Search on Vulmon	Subscribe to Product
owasp coreruleset

Debian Bug report logs - #1041109 modsecurity-crs: CVE-2023-38199 Package: src:modsecurity-crs; Maintainer for src:modsecurity-crs is Alberto Gonzalez Iniesta <agi@inittaborg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Fri, 14 Jul 2023 21:42:13 UTC Severity: important Tags: security, upstream Found in ...

Critical Infrastructure Sectors: Critical Manufacturing

CWE-843 https://github.com/coreruleset/coreruleset/issues/3191 https://github.com/coreruleset/coreruleset/pull/3237 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041109 https://nvd.nist.gov https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-15

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-38199

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect