Vulnerability Description
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Owasp | Owasp Modsecurity Core Rule Set | >= 3.0.0, < 3.2.2 |
| Fedoraproject | Fedora | 35 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cvPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00033.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202305-25
- https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cvPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00033.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/08/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202305-25
FAQ
What is CVE-2022-39955?
CVE-2022-39955 is a vulnerability with a CVSS score of 7.3 (HIGH). The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. ...
How severe is CVE-2022-39955?
CVE-2022-39955 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39955?
Check the references section above for vendor advisories and patch information. Affected products include: Owasp Owasp Modsecurity Core Rule Set, Fedoraproject Fedora, Debian Debian Linux.