Candidate: CVE-2019-13464 PublicDate: 2019-07-09 19:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13464 https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1386 https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1391 Description: An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid. Ubuntu-Description: msalvatore> For modsecurity, vulnerability is in the test suite. No security impact. msalvatore> There is securty impact for modsecurity-crs Notes: Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH] Patches_modsecurity: upstream_modsecurity: needs-triage precise/esm_modsecurity: DNE trusty_modsecurity: ignored (out of standard support) trusty/esm_modsecurity: DNE xenial_modsecurity: DNE bionic_modsecurity: DNE cosmic_modsecurity: DNE disco_modsecurity: ignored (reached end-of-life) eoan_modsecurity: ignored (vulnerable code is part of the test suite, not production code) focal_modsecurity: ignored (vulnerable code is part of the test suite, not production code) groovy_modsecurity: ignored (vulnerable code is part of the test suite, not production code) hirsute_modsecurity: ignored (vulnerable code is part of the test suite, not production code) impish_modsecurity: ignored (vulnerable code is part of the test suite, not production code) jammy_modsecurity: ignored (vulnerable code is part of the test suite, not production code) devel_modsecurity: ignored (vulnerable code is part of the test suite, not production code) Patches_modsecurity-crs: upstream_modsecurity-crs: released (3.2.0-1) precise/esm_modsecurity-crs: DNE trusty_modsecurity-crs: ignored (out of standard support) trusty/esm_modsecurity-crs: DNE xenial_modsecurity-crs: not-affected (code not present) bionic_modsecurity-crs: needed cosmic_modsecurity-crs: ignored (reached end-of-life) disco_modsecurity-crs: ignored (reached end-of-life) eoan_modsecurity-crs: ignored (reached end-of-life) focal_modsecurity-crs: not-affected (3.2.0-1) groovy_modsecurity-crs: not-affected (3.2.0-1) hirsute_modsecurity-crs: not-affected (3.2.0-1) impish_modsecurity-crs: not-affected (3.2.0-1) jammy_modsecurity-crs: not-affected (3.2.0-1) devel_modsecurity-crs: not-affected (3.2.0-1)