SQL Injection Bypass Vulnerability in Modsecurity by SpiderLabs
CVE-2020-22669

9.8CRITICAL

Key Information:

Vendor: Owasp
Status: Owasp Modsecurity Core Rule Set
Vendor: CVE Published:; 2 September 2022

What is CVE-2020-22669?

The vulnerability in Modsecurity OWASP Core Rule Set version 3.2.0 allows attackers to exploit SQL injection techniques by using specialized comment characters and variable assignments within SQL syntax. This manipulation can bypass the Web Application Firewall (WAF) protection provided by Modsecurity, exposing web applications to potential SQL injection attacks. It’s crucial for web developers and security teams to be aware of this vulnerability and apply security patches to mitigate any risks associated with it.

References

https://github.com/SpiderLabs/owasp-modsecurity-crs/issue...

https://github.com/coreruleset/coreruleset/pull/1793

https://lists.debian.org/debian-lts-announce/2023/01/msg0...

mailing-list

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 2, 2022
Vulnerability Reserved
Aug 13, 2020

CVE-2020-22669 Data

JSON

Owasp

What is CVE-2020-22669?

References

CVSS V3.1

Timeline