coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2023-07-13T00:00:00
Updated: 2024-08-02T17:30:14.062Z
Reserved: 2023-07-13T00:00:00
Link: CVE-2023-38199
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-07-13T03:15:10.023
Modified: 2023-09-05T04:15:09.017
Link: CVE-2023-38199
Redhat
No data.