Unrated severityNVD Advisory· Published Dec 7, 2021· Updated Aug 4, 2024
CVE-2021-42717
CVE-2021-42717
Description
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
Affected products
7- ModSecurity/ModSecuritydescription
- osv-coords6 versionspkg:bitnami/modsecuritypkg:bitnami/modsecurity2pkg:rpm/opensuse/modsecurity&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/modsecurity&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/modsecurity&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/modsecurity&distro=SUSE%20Package%20Hub%2015%20SP5
>= 2.0.0, < 2.9.5+ 5 more
- (no CPE)range: >= 2.0.0, < 2.9.5
- (no CPE)range: >= 2.0.0, < 2.9.5
- (no CPE)range: < 3.0.10-bp154.2.3.1
- (no CPE)range: < 3.0.10-bp155.3.3.1
- (no CPE)range: < 3.0.10-bp154.2.3.1
- (no CPE)range: < 3.0.10-bp155.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- www.debian.org/security/2021/dsa-5023mitrevendor-advisoryx_refsource_DEBIAN
- lists.debian.org/debian-lts-announce/2022/05/msg00042.htmlmitremailing-listx_refsource_MLIST
- www.oracle.com/security-alerts/cpuapr2022.htmlmitrex_refsource_MISC
- www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.