Content-Type Confusion Vulnerability in OWASP ModSecurity Core Rule Set
CVE-2023-38199

9.8CRITICAL

Key Information:

Vendor: Owasp
Status: Coreruleset
Vendor: CVE Published:; 13 July 2023

What is CVE-2023-38199?

The OWASP ModSecurity Core Rule Set prior to version 3.3.4 is susceptible to a vulnerability that allows multiple Content-Type request headers to go undetected on specific platforms. This oversight can enable attackers to bypass Web Application Firewalls (WAFs) by exploiting the 'Content-Type confusion' between the WAF and the backend application. The issue arises when the web application considers only the last Content-Type header, whereas other platforms might reject or merge additional conflicting headers, leading to detection failures. This vulnerability poses significant risks for web applications relying on proper header validation to ensure security.

References

https://github.com/coreruleset/coreruleset/issues/3191

https://github.com/coreruleset/coreruleset/pull/3237

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 13, 2023
Vulnerability Reserved
Jul 13, 2023

CVE-2023-38199 Data

JSON

Owasp

What is CVE-2023-38199?

References

CVSS V3.1

Timeline