CVE-2020-22669

NameCVE-2020-22669
DescriptionModsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3293-1, ELA-783-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity-crs (PTS)jessie2.2.9-1+deb8u1vulnerable
stretch (lts), stretch3.2.3-0+deb9u1fixed
buster (security), buster, buster (lts)3.2.3-0+deb10u3fixed
bullseye3.3.0-1+deb11u1vulnerable
bookworm3.3.4-1fixed
sid, trixie3.3.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecurity-crssourcejessie(unfixed)end-of-life
modsecurity-crssourcestretch3.2.3-0+deb9u1ELA-783-1
modsecurity-crssourcebuster3.2.3-0+deb10u3DLA-3293-1
modsecurity-crssource(unstable)3.3.2-1

Notes

[bullseye] - modsecurity-crs <no-dsa> (Minor issue)
https://github.com/coreruleset/coreruleset/pull/1793
https://github.com/coreruleset/coreruleset/commit/1a6e9e097587cecc038f1a1a76fc067c7797bbcd (v3.3.1-rc1)
https://github.com/coreruleset/coreruleset/commit/909cab560b56f998faee88dd8a7aa9cf086d2d9f (v3.3.1-rc1)

Search for package or bug name: Reporting problems