Content-Type Confusion Vulnerability in OWASP ModSecurity Core Rule Set
CVE-2023-38199

9.8CRITICAL

Key Information:

Vendor: Owasp
Status: Coreruleset
Vendor: CVE Published:; 13 July 2023

What is CVE-2023-38199?

The OWASP ModSecurity Core Rule Set prior to version 3.3.4 is susceptible to a vulnerability that allows multiple Content-Type request headers to go undetected on specific platforms. This oversight can enable attackers to bypass Web Application Firewalls (WAFs) by exploiting the 'Content-Type confusion' between the WAF and the backend application. The issue arises when the web application considers only the last Content-Type header, whereas other platforms might reject or merge additional conflicting headers, leading to detection failures. This vulnerability poses significant risks for web applications relying on proper header validation to ensure security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/coreruleset/coreruleset/issues/3191

https://github.com/coreruleset/coreruleset/pull/3237

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 13, 2023
Vulnerability Reserved
Jul 13, 2023

JSON

Owasp

What is CVE-2023-38199?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.