Discover the disputed vulnerability in OWASP ModSecurity Core Rule Set (CRS) version 3.1.0 with CVE-2019-11390. Learn about the potential impact, affected systems, exploitation mechanism, and mitigation steps.
A vulnerability has been identified in the OWASP ModSecurity Core Rule Set (CRS) version 3.1.0 that could potentially enable remote attackers to launch a ReDoS attack. The software maintainer disputes this classification as it cannot be exploited through ModSecurity.
Understanding CVE-2019-11390
This CVE involves a disputed vulnerability in the OWASP ModSecurity Core Rule Set (CRS) version 3.1.0.
What is CVE-2019-11390?
The vulnerability in the file "/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf" allows remote attackers to trigger a ReDoS attack by inputting a specially crafted string starting with "set_error_handler#" and containing nested repetition operators.
The Impact of CVE-2019-11390
The software maintainer argues that this issue cannot be exploited through ModSecurity, potentially reducing the severity of the vulnerability.
Technical Details of CVE-2019-11390
This section provides more technical insights into the CVE.
Vulnerability Description
The vulnerability in the OWASP ModSecurity CRS version 3.1.0 allows for a ReDoS attack through a specific file, potentially leading to a denial of service.
Affected Systems and Versions
Exploitation Mechanism
Mitigation and Prevention
Protecting systems from CVE-2019-11390 requires immediate actions and long-term security practices.
Immediate Steps to Take
Long-Term Security Practices
Patching and Updates