Denial of Service (ReDOS) Vulnerability in OWASP ModSecurity Core Rule Set (CRS)

Denial of Service (ReDOS) Vulnerability in OWASP ModSecurity Core Rule Set (CRS)

CVE-2019-11388 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity

Learn more about our Web Application Penetration Testing UK.