CVE-2019-13464

Published: 09 July 2019

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.

From the Ubuntu security team

msalvatore> For modsecurity, vulnerability is in the test suite. No security impact. msalvatore> There is securty impact for modsecurity-crs

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
modsecurity
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Ignored
(vulnerable code is part of the test suite, not production code)
Ubuntu 21.04 (Hirsute Hippo) Ignored
(vulnerable code is part of the test suite, not production code)
Ubuntu 20.10 (Groovy Gorilla) Ignored
(vulnerable code is part of the test suite, not production code)
Ubuntu 20.04 LTS (Focal Fossa) Ignored
(vulnerable code is part of the test suite, not production code)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

modsecurity-crs
Launchpad, Ubuntu, Debian
Upstream
Released (3.2.0-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(3.2.0-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.2.0-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(3.2.0-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.2.0-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist