CVE-2021-35368

NameCVE-2021-35368
DescriptionOWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesELA-783-1
Debian Bugs992000

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity-crs (PTS)jessie2.2.9-1+deb8u1fixed
stretch (lts), stretch3.2.3-0+deb9u1fixed
buster (security), buster, buster (lts)3.2.3-0+deb10u3fixed
bullseye3.3.0-1+deb11u1fixed
bookworm3.3.4-1fixed
sid, trixie3.3.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecurity-crssourcejessie(not affected)
modsecurity-crssourcestretch3.2.3-0+deb9u1ELA-783-1
modsecurity-crssourcebuster3.1.0-1+deb10u2
modsecurity-crssourcebullseye3.3.0-1+deb11u1
modsecurity-crssource(unstable)3.3.2-1992000

Notes

[stretch] - modsecurity-crs <no-dsa> (Minor issue)
https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
https://github.com/coreruleset/coreruleset/pull/2143
https://github.com/coreruleset/coreruleset/commit/132c19c8f21c8cd4d3cd484d4f34ef786ee39b05 (v3.4-dev)
Introduced by https://github.com/coreruleset/coreruleset/commit/b3995e5d332be9f2445ee91b6e1366440bdbe109 (v3.0.0-rc2)
[jessie] - modsecurity-crs <not-affected> (Vulnerable rules introduced later)
Search for package or bug name: Reporting problems