rpm package
opensuse/apache2-mod_security2&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/apache2-mod_security2&distro=openSUSE%20Tumbleweed
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54571 | — | < 2.9.12-1.1 | 2.9.12-1.1 | Aug 5, 2025 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, | ||
| CVE-2025-52891 | Med | 6.5 | < 2.9.11-1.1 | 2.9.11-1.1 | Jul 2, 2025 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application | |
| CVE-2025-48866 | — | < 2.9.10-1.1 | 2.9.10-1.1 | Jun 2, 2025 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same | ||
| CVE-2025-47947 | — | < 2.9.10-1.1 | 2.9.10-1.1 | May 21, 2025 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application | ||
| CVE-2022-48279 | — | < 2.9.8-2.1 | 2.9.8-2.1 | Jan 20, 2023 | In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. | ||
| CVE-2013-2765 | — | < 2.9.0-5.6 | 2.9.0-5.6 | Jul 15, 2013 | The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header. | ||
| CVE-2013-1915 | — | < 2.9.0-5.6 | 2.9.0-5.6 | Apr 25, 2013 | ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity ( | ||
| CVE-2012-4528 | — | < 2.9.0-5.6 | 2.9.0-5.6 | Dec 28, 2012 | The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data. | ||
| CVE-2012-2751 | — | < 2.9.0-5.6 | 2.9.0-5.6 | Jul 22, 2012 | ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering r | ||
| CVE-2009-5031 | — | < 2.9.0-5.6 | 2.9.0-5.6 | Jul 22, 2012 | ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Dispo |
- CVE-2025-54571Aug 5, 2025affected < 2.9.12-1.1fixed 2.9.12-1.1
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example,
- affected < 2.9.11-1.1fixed 2.9.11-1.1
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application
- CVE-2025-48866Jun 2, 2025affected < 2.9.10-1.1fixed 2.9.10-1.1
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same
- CVE-2025-47947May 21, 2025affected < 2.9.10-1.1fixed 2.9.10-1.1
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application
- CVE-2022-48279Jan 20, 2023affected < 2.9.8-2.1fixed 2.9.8-2.1
In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.
- CVE-2013-2765Jul 15, 2013affected < 2.9.0-5.6fixed 2.9.0-5.6
The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header.
- CVE-2013-1915Apr 25, 2013affected < 2.9.0-5.6fixed 2.9.0-5.6
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (
- CVE-2012-4528Dec 28, 2012affected < 2.9.0-5.6fixed 2.9.0-5.6
The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.
- CVE-2012-2751Jul 22, 2012affected < 2.9.0-5.6fixed 2.9.0-5.6
ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering r
- CVE-2009-5031Jul 22, 2012affected < 2.9.0-5.6fixed 2.9.0-5.6
ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Dispo