CVE-2021-35368
- Source
- https://cve.org/CVERecord?id=CVE-2021-35368
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-35368.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-35368
- Downstream
- Related
- Published
- 2021-11-05T18:15:09.317Z
- Modified
- 2026-04-02T07:00:23.177071Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MS5GMNYHFFIBWLJW7N3XAD24SLF3PFZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IVYUJOKHDEXFTM2CZMEESJ6TZSPVNSSZ/
- https://owasp.org/www-project-modsecurity-core-rule-set/
- https://security.gentoo.org/glsa/202305-25
- https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
- https://portswigger.net/daily-swig/lessons-learned-how-a-severe-vulnerability-in-the-owasp-modsecurity-core-rule-set-sparked-much-needed-change
- https://portswigger.net/daily-swig/waf-bypass-severe-owasp-modsecurity-core-rule-set-bug-was-present-for-several-years
- https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
Affected packages
Git / github.com/coreruleset/coreruleset
Affected versions
Other
nightly
v3.*
v3.1.0
v3.1.0-rc2
v3.1.1
v3.2.0
v3.3.0
v3.3.0-rc1
v3.3.0-rc2
v3.3.1-rc1
v4.*
v4.0.0
v4.0.0-rc1
v4.0.0-rc2
v4.1.0
v4.10.0
v4.11.0
v4.12.0
v4.13.0
v4.14.0
v4.15.0
v4.16.0
v4.17.0
v4.17.1
v4.18.0
v4.19.0
v4.2.0
v4.20.0
v4.21.0
v4.22.0
v4.23.0
v4.24.0
v4.24.1
v4.25.0
v4.3.0
v4.4.0
v4.5.0
v4.6.0
v4.7.0
v4.8.0
v4.9.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-35368.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "36"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "37"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
}
]