Bitnami package
modsecurity
pkg:bitnami/modsecurity
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42268 | Hig | 7.5 | >= 3.0.0, < 3.0.15 | 3.0.15 | May 12, 2026 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses | |
| CVE-2026-30923 | Hig | 7.5 | < 3.0.15 | 3.0.15 | May 5, 2026 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string param | |
| CVE-2025-54571 | — | < 2.9.12 | 2.9.12 | Aug 5, 2025 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, | ||
| CVE-2025-52891 | Med | 6.5 | >= 2.9.8, < 3.0.12 | 3.0.12 | Jul 2, 2025 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application | |
| CVE-2025-48866 | — | < 3.0.12 | 3.0.12 | Jun 2, 2025 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same | ||
| CVE-2025-47947 | — | < 3.0.12 | 3.0.12 | May 21, 2025 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application | ||
| CVE-2025-27110 | — | >= 3.0.13, < 3.0.14 | 3.0.14 | Feb 25, 2025 | Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0. | ||
| CVE-2024-46292 | — | >= 3.0.12, < 3.0.13 | 3.0.13 | Oct 9, 2024 | A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not gu | ||
| CVE-2024-1019 | — | >= 3.0.0, < 3.0.12 | 3.0.12 | Jan 30, 2024 | ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional qu | ||
| CVE-2023-38285 | — | >= 3.0.0, < 3.0.10 | 3.0.10 | Jul 26, 2023 | Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. | ||
| CVE-2023-28882 | — | >= 3.0.5, < 3.0.9 | 3.0.9 | Apr 28, 2023 | Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations. | ||
| CVE-2023-24021 | — | < 2.9.7 | 2.9.7 | Jan 20, 2023 | Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection. | ||
| CVE-2022-48279 | — | < 2.9.6 | 2.9.6 | Jan 20, 2023 | In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. | ||
| CVE-2021-42717 | — | >= 2.0.0, < 2.9.5 | 2.9.5 | Dec 7, 2021 | ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the | ||
| CVE-2020-15598 | — | >= 3.0.0, < 3.0.5 | 3.0.5 | Oct 6, 2020 | Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can r |
- affected >= 3.0.0, < 3.0.15fixed 3.0.15
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses
- affected < 3.0.15fixed 3.0.15
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string param
- CVE-2025-54571Aug 5, 2025affected < 2.9.12fixed 2.9.12
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example,
- affected >= 2.9.8, < 3.0.12fixed 3.0.12
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application
- CVE-2025-48866Jun 2, 2025affected < 3.0.12fixed 3.0.12
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same
- CVE-2025-47947May 21, 2025affected < 3.0.12fixed 3.0.12
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application
- CVE-2025-27110Feb 25, 2025affected >= 3.0.13, < 3.0.14fixed 3.0.14
Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.
- CVE-2024-46292Oct 9, 2024affected >= 3.0.12, < 3.0.13fixed 3.0.13
A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not gu
- CVE-2024-1019Jan 30, 2024affected >= 3.0.0, < 3.0.12fixed 3.0.12
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional qu
- CVE-2023-38285Jul 26, 2023affected >= 3.0.0, < 3.0.10fixed 3.0.10
Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.
- CVE-2023-28882Apr 28, 2023affected >= 3.0.5, < 3.0.9fixed 3.0.9
Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.
- CVE-2023-24021Jan 20, 2023affected < 2.9.7fixed 2.9.7
Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.
- CVE-2022-48279Jan 20, 2023affected < 2.9.6fixed 2.9.6
In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.
- CVE-2021-42717Dec 7, 2021affected >= 2.0.0, < 2.9.5fixed 2.9.5
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the
- CVE-2020-15598Oct 6, 2020affected >= 3.0.0, < 3.0.5fixed 3.0.5
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can r