CVE-2020-22669

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.

Published: Sep 2, 2022
Updated: Apr 14, 2023
CVE: CVE-2020-22669
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
owasp / owasp_modsecurity_core_rule_set	3.2.0	3.2.0.x
debian / debian_linux	10.0	10.0.x

https://github.com/coreruleset/coreruleset/pull/1793
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html

Vulnerability Database

CVE-2020-22669