CVE-2024-46292

EUVD-2024-41809
A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue).
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Affected Products (NVD)
VendorProductVersion
trustwavemodsecurity
3.0.12
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
modsecurity
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
Common Weakness Enumeration
References
https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/README.md
https://github.com/yoloflz101/yoloflz/blob/main/README.md
https://modsecurity.org/20241011/about-cve-2024-46292-2024-october/