How severe is CVE-2022-39958?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2022-39958?

This is classified as CWE-863, which is a common weakness in software security.

CVE-2022-39958 - HIGH Severity | CVSS 7.5

Vulnerability Description

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.

Related Vulnerabilities

CVE-2006-6679

HIGH

CVSS:7.5(High)

Pedro Lineu Orso chetcpasswd before 2.4 relies on the X-Forwarded-For HTTP header when verifying a client's status on an IP address ACL, which allows remote attackers to gain unauthorized access by sp...

CWE-8632006

CVE-2008-4577

HIGH

CVSS:7.5(High)

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

CWE-8632008

CVE-2009-3723

HIGH

CVSS:7.5(High)

asterisk allows calls on prohibited networks

CWE-8632009

CVE-2011-2726

HIGH

CVSS:7.5(High)

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual...

CWE-8632011

CVE-2012-2238

HIGH

CVSS:7.5(High)

trytond 2.4: ModelView.button fails to validate authorization

CWE-8632012

CVE-2012-3822

HIGH

CVSS:7.5(High)

Arial Campaign Enterprise before 11.0.551 has unauthorized access to the User-Edit.asp page, which allows remote attackers to enumerate users' credentials.

CWE-8632012