ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could…
mitre·CWE-674·Published 2021-12-07
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
ModSecurity versiones 3.x hasta 3.0.5, maneja inapropiadamente los objetos JSON excesivamente anidados. Los objetos JSON diseñados con un anidamiento de decenas de miles de metros de profundidad podían hacer que el servidor web no pudiera atender peticiones legítimas. Incluso una petición HTTP moderadamente grande (por ejemplo, 300KB) puede ocupar uno de los limitados procesos de trabajo de NGINX durante minutos y consumir casi toda la CPU disponible en la máquina. Modsecurity 2 es igualmente vulnerable: las versiones afectadas incluyen la 2.8.0 hasta la 2.9.4
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |