ModSecurity 3.0.0-3.0.11 WAF Bypass via URL Path, Fixed in 3.0.12
CVE-2024-1019 Published on January 30, 2024
WAF bypass of the ModSecurity v3 release line
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.
Vulnerability Analysis
CVE-2024-1019 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Timeline
OWASP CRS submits report to Trustwave Spiderlabs, includes SQLi proof of concept
Trustwave Spiderlabs acknowledges report, promises investigation 1 day later.
OWASP CRS asks for update 14 days later.
Trustwave Spiderlabs rejects report, describes it as anomaly without security impact 1 day later.
OWASP CRS reiterates previously shared SQLi proof of concept 2 days later.
Trustwave Spiderlabs acknowledges security impact
OWASP CRS shares XSS proof of concept 3 days later.
Trustwave Spiderlabs promises security release early in the new year 3 days later.
OWASP CRS asks for update 26 days later.
Trustwave Spiderlabs announces preview patch by Jan 12, release in the week of Jan 22 1 day later.
Trustwave Spiderlabs shares preview patch with primary contact from OWASP CRS 9 days later.
OWASP CRS confirms preview patch fixes vulnerability 10 days later.
Trustwave Spiderlabs announces transfer of ModSecurity project to OWASP for 2023-01-25 2 days later.
Trustwave Spiderlabs transfers ModSecurity repository to OWASP 1 day later.
OWASP creates OWASP ModSecurity, assigns OWASP ModSecurity production level, primary contact from OWASP CRS becomes OWASP ModSecurity co-lead
OWASP ModSecurity leaders decide to release on 2023-01-30 1 day later.
OWASP ModSecurity creates GPG to sign upcoming release, shares via public key servers 1 day later.
NCSC-CH assigns CVE 2024-1019, advisory text and release notes are being prepared, planned release procedure is discussed with Trustwave Spiderlabs 2 days later.
OWASP ModSecurity Release 3.0.12 1 day later.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2024-1019
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-1019 are published in these products:
Affected Versions
OWASP ModSecurity ModSecurity:- Version 3.0.0, <= 3.0.11 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.