Vulnerability Description
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Owasp | Owasp Modsecurity Core Rule Set | >= 3.0.0, < 3.2.2 |
| Fedoraproject | Fedora | 35 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cvPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00033.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202305-25
- https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cvPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00033.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/08/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202305-25
FAQ
What is CVE-2022-39957?
CVE-2022-39957 is a vulnerability with a CVSS score of 7.3 (HIGH). The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the respo...
How severe is CVE-2022-39957?
CVE-2022-39957 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39957?
Check the references section above for vendor advisories and patch information. Affected products include: Owasp Owasp Modsecurity Core Rule Set, Fedoraproject Fedora, Debian Debian Linux.