OWASP ModSecurity CRS <=3.3.4: Content-Type header confusion WAF bypass
CVE-2023-38199 Published on July 13, 2023

coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.

NVD

Products Associated with CVE-2023-38199

Want to know whenever a new CVE is published for OWASP Coreruleset? stack.watch will email you.

OWASP Coreruleset

Exploit Probability

EPSS

0.04%

Percentile

12.00%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

OWASP ModSecurity CRS <=3.3.4: Content-Type header confusion WAF bypassCVE-2023-38199 Published on July 13, 2023

Products Associated with CVE-2023-38199

Exploit Probability

OWASP ModSecurity CRS <=3.3.4: Content-Type header confusion WAF bypass
CVE-2023-38199 Published on July 13, 2023