{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"HIGH" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional charset parameter in order to receive the response in an encoded form. Depending on the charset , this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.", "category":"general", "title":"Synopsis" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39957" }, { "summary":"CVE-2022-39957 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2022/csaf-openeuler-cve-2022-39957.json" }, { "summary":"openEuler-SA-2022-1970", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1970" }, { "summary":"CVE-2022-39957", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-39957&packageName=mod_security_crs" } ], "title":"openEuler cve CVE-2022-39957", "tracking":{ "initial_release_date":"2022-09-30T09:46:47+08:00", "revision_history":[ { "date":"2022-09-30T09:46:47+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:46:47+08:00", "summary":"Current version", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:46:47+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:46:47+08:00", "id":"CVE-2022-39957", "version":"2.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"openEuler-20.03-LTS-SP3", "name":"openEuler-20.03-LTS-SP3" }, "name":"openEuler-20.03-LTS-SP3", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"openEuler-22.03-LTS", "name":"openEuler-22.03-LTS" }, "name":"openEuler-22.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"mod_security_crs-3.2.2-1.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"mod_security_crs-3.2.2-1.oe1.noarch.rpm" }, "name":"mod_security_crs-3.2.2-1.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"mod_security_crs-3.2.2-1.oe1.noarch.rpm(20.03-LTS-SP3)", "name":"mod_security_crs-3.2.2-1.oe1.noarch.rpm" }, "name":"mod_security_crs-3.2.2-1.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"mod_security_crs-3.2.2-1.oe2203.noarch.rpm", "name":"mod_security_crs-3.2.2-1.oe2203.noarch.rpm" }, "name":"mod_security_crs-3.2.2-1.oe2203.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"mod_security_crs-3.2.2-1.oe1.src.rpm(20.03-LTS-SP1)", "name":"mod_security_crs-3.2.2-1.oe1.src.rpm" }, "name":"mod_security_crs-3.2.2-1.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"mod_security_crs-3.2.2-1.oe1.src.rpm(20.03-LTS-SP3)", "name":"mod_security_crs-3.2.2-1.oe1.src.rpm" }, "name":"mod_security_crs-3.2.2-1.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"mod_security_crs-3.2.2-1.oe2203.src.rpm", "name":"mod_security_crs-3.2.2-1.oe2203.src.rpm" }, "name":"mod_security_crs-3.2.2-1.oe2203.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"mod_security_crs-3.2.2-1.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:mod_security_crs-3.2.2-1.oe1.noarch", "name":"mod_security_crs-3.2.2-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"mod_security_crs-3.2.2-1.oe1.noarch.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:mod_security_crs-3.2.2-1.oe1.noarch", "name":"mod_security_crs-3.2.2-1.oe1.noarch as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"mod_security_crs-3.2.2-1.oe2203.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:mod_security_crs-3.2.2-1.oe2203.noarch", "name":"mod_security_crs-3.2.2-1.oe2203.noarch as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"mod_security_crs-3.2.2-1.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:mod_security_crs-3.2.2-1.oe1.src", "name":"mod_security_crs-3.2.2-1.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"mod_security_crs-3.2.2-1.oe1.src.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:mod_security_crs-3.2.2-1.oe1.src", "name":"mod_security_crs-3.2.2-1.oe1.src as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"mod_security_crs-3.2.2-1.oe2203.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:mod_security_crs-3.2.2-1.oe2203.src", "name":"mod_security_crs-3.2.2-1.oe2203.src as a component of openEuler-22.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-39957", "notes":[ { "text":"The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional charset parameter in order to receive the response in an encoded form. Depending on the charset , this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:mod_security_crs-3.2.2-1.oe1.noarch", "openEuler-20.03-LTS-SP3:mod_security_crs-3.2.2-1.oe1.noarch", "openEuler-22.03-LTS:mod_security_crs-3.2.2-1.oe2203.noarch", "openEuler-20.03-LTS-SP1:mod_security_crs-3.2.2-1.oe1.src", "openEuler-20.03-LTS-SP3:mod_security_crs-3.2.2-1.oe1.src", "openEuler-22.03-LTS:mod_security_crs-3.2.2-1.oe2203.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:mod_security_crs-3.2.2-1.oe1.noarch", "openEuler-20.03-LTS-SP3:mod_security_crs-3.2.2-1.oe1.noarch", "openEuler-22.03-LTS:mod_security_crs-3.2.2-1.oe2203.noarch", "openEuler-20.03-LTS-SP1:mod_security_crs-3.2.2-1.oe1.src", "openEuler-20.03-LTS-SP3:mod_security_crs-3.2.2-1.oe1.src", "openEuler-22.03-LTS:mod_security_crs-3.2.2-1.oe2203.src" ], "details":"mod_security_crs security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1970" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:mod_security_crs-3.2.2-1.oe1.noarch", "openEuler-20.03-LTS-SP3:mod_security_crs-3.2.2-1.oe1.noarch", "openEuler-22.03-LTS:mod_security_crs-3.2.2-1.oe2203.noarch", "openEuler-20.03-LTS-SP1:mod_security_crs-3.2.2-1.oe1.src", "openEuler-20.03-LTS-SP3:mod_security_crs-3.2.2-1.oe1.src", "openEuler-22.03-LTS:mod_security_crs-3.2.2-1.oe2203.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2022-39957" } ] }