ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the
global matching of regular expressions. The combination of a non-anchored
regular expression and the ModSecurity “capture” action can be exploited via a
specially crafted payload.
While ModSecurity v2.x used to quit the execution of a regular expression
after the first match. ModSecurity v3.0.x silently changed the behavior to
global matching. This results in a DoS for existing non-anchored regexes in
rules containing the “capture” action. It also fills the TX variable space
beyond the documented limit of 10 instances. The defense is handicapped due to
the absence of the SecRequestBodyNoFilesLimit directive. The vendor Trustwave
Spiderlabs dropped this functionality for ModSecurity v3.
The vendor did not publish a new release, but there is a patch that brings
back the former behavior.
CVSSv3: 7.5 HIGH
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
Exploitability Metrics:
* Attack Vector: Network
* Attack Complexity: Low
* Priviledges Required: None
* User Interaction: None
* Scope: Unchanged
Impact Metrics:
* Confidentiality Impact: None
* Integrity Impact: None
* Availability Impact: High
Weakness Enumeration: CWE-400: Uncontrolled Resource Consumption
Known Affected Software Configurations:
ModSecurity v3.0.0
ModSecurity v3.0.1
ModSecurity v3.0.2
ModSecurity v3.0.3
ModSecurity v3.0.4 (patch for this version available
More Information: https://coreruleset.org/20200914/cve-2020-15598/