Candidate: CVE-2019-11387
PublicDate: 2019-04-21 02:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11387
 https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1359
Description:
 An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through
 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote
 attackers to cause a denial of service (ReDOS) by entering a specially
 crafted string with nested repetition operators.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]


Patches_modsecurity-crs:
upstream_modsecurity-crs: needs-triage
precise/esm_modsecurity-crs: DNE
trusty_modsecurity-crs: ignored (reached end-of-life)
trusty/esm_modsecurity-crs: DNE (trusty was needs-triage)
xenial_modsecurity-crs: ignored (end of standard support, was needs-triage)
bionic_modsecurity-crs: needs-triage
cosmic_modsecurity-crs: ignored (reached end-of-life)
disco_modsecurity-crs: ignored (reached end-of-life)
eoan_modsecurity-crs: not-affected (3.1.1-1)
focal_modsecurity-crs: not-affected (3.1.1-1)
groovy_modsecurity-crs: not-affected (3.1.1-1)
hirsute_modsecurity-crs: not-affected (3.1.1-1)
impish_modsecurity-crs: not-affected (3.1.1-1)
jammy_modsecurity-crs: not-affected (3.1.1-1)
devel_modsecurity-crs: not-affected (3.1.1-1)