U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-1019

Change History

New CVE Received by NIST 1/30/2024 11:15:47 AM

Action Type Old Value New Value
Added CVSS V3.1

Switzerland Government Common Vulnerability Program AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Added CWE

Switzerland Government Common Vulnerability Program CWE-20
Added Description

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.
Added Reference

Switzerland Government Common Vulnerability Program https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30 [No types assigned]