822003 – (CVE-2021-35368) <www-apache/modsecurity-crs-3.3.2: WAF bypass (CVE-2021-35368)

Bug 822003 (CVE-2021-35368) - <www-apache/modsecurity-crs-3.3.2: WAF bypass (CVE-2021-35368)

Summary: <www-apache/modsecurity-crs-3.3.2: WAF bypass (CVE-2021-35368)

Status:	RESOLVED FIXED

Alias:	CVE-2021-35368

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://portswigger.net/daily-swig/wa...
Whiteboard:	B4 [glsa+]
Keywords:	PullRequest

Depends on:	829741
Blocks:
	Show dependency tree

Reported:	2021-11-05 20:30 UTC by John Helmert III
Modified:	2023-05-21 19:53 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/23437 https://github.com/gentoo/gentoo/pull/23482
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-11-05 20:30:54 UTC

CVE-2021-35368:

OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.

Needs bump to 3.3.2.

Comment 1 Larry the Git Cow gentoo-dev

2021-12-21 02:05:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38b60368c54e4cd1e60c9348d205c443a1d09d96

commit 38b60368c54e4cd1e60c9348d205c443a1d09d96
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-12-20 18:17:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-21 02:04:50 +0000

    www-apache/modsecurity-crs: bump to 3.3.2
    
    Bug: https://bugs.gentoo.org/822003
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apache/modsecurity-crs/Manifest                |  1 +
 .../modsecurity-crs/modsecurity-crs-3.3.2.ebuild   | 33 ++++++++++++++++++++++
 2 files changed, 34 insertions(+)

Comment 2 Sam James archtester

2021-12-21 02:15:17 UTC

Please stable when ready. Thanks!

Comment 3 John Helmert III archtester

2021-12-22 00:48:11 UTC

Please cleanup

Comment 4 Larry the Git Cow gentoo-dev

2021-12-24 08:01:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be388d9d12b30c1b64da56852ebf5ff3af69be98

commit be388d9d12b30c1b64da56852ebf5ff3af69be98
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-12-23 12:40:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-24 08:01:43 +0000

    www-apache/modsecurity-crs: drop vulnerable
    
    Bug: https://bugs.gentoo.org/822003
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/23482
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apache/modsecurity-crs/Manifest                |  1 -
 .../modsecurity-crs/modsecurity-crs-3.3.0.ebuild   | 33 ----------------------
 2 files changed, 34 deletions(-)

Comment 5 John Helmert III archtester

2023-01-25 19:43:14 UTC

GLSA request filed

Comment 6 Larry the Git Cow gentoo-dev

2023-05-21 19:52:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e18d39bd8feec34396dd5f946e2b6a0c3031adff

commit e18d39bd8feec34396dd5f946e2b6a0c3031adff
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:43:55 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:33 +0000

    [ GLSA 202305-25 ] OWASP ModSecurity Core Rule Set: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/822003
    Bug: https://bugs.gentoo.org/872077
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-25.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

Comment 7 John Helmert III archtester

2023-05-21 19:53:22 UTC

GLSA released, all done!