ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the global matching of regular expressions. The combination of a non-anchored regular expression and the ModSecurity “capture” action can be exploited via a specially crafted payload. While ModSecurity v2.x used to quit the execution of a regular expression after the first match. ModSecurity v3.0.x silently changed the behavior to global matching. This results in a DoS for existing non-anchored regexes in rules containing the “capture” action. It also fills the TX variable space beyond the documented limit of 10 instances. The defense is handicapped due to the absence of the SecRequestBodyNoFilesLimit directive. The vendor Trustwave Spiderlabs dropped this functionality for ModSecurity v3. The vendor did not publish a new release, but there is a patch that brings back the former behavior. CVSSv3: 7.5 HIGH https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1 Exploitability Metrics: * Attack Vector: Network * Attack Complexity: Low * Priviledges Required: None * User Interaction: None * Scope: Unchanged Impact Metrics: * Confidentiality Impact: None * Integrity Impact: None * Availability Impact: High Weakness Enumeration: CWE-400: Uncontrolled Resource Consumption Known Affected Software Configurations: ModSecurity v3.0.0 ModSecurity v3.0.1 ModSecurity v3.0.2 ModSecurity v3.0.3 ModSecurity v3.0.4 (patch for this version available More Information: https://coreruleset.org/20200914/cve-2020-15598/