CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

References

Affected packages

Git / github.com/owasp-modsecurity/modsecurity

Affected ranges

Type: GIT
Repo: https://github.com/owasp-modsecurity/modsecurity
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

860299971df990610943c2ff18c70e7e5716db8b

Introduced

c1cd668acb820824e791ba802396c60900eae9c1

Fixed

c3d7f4b560797a052681dcffb97a22bb906487cd

Affected versions

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-42717.json"

Git / gitlab.gnome.org/GNOME/glib

Affected ranges

Type: GIT
Repo: https://gitlab.gnome.org/GNOME/glib
Events: Introduced

4065bdd345719bc31876fc124766b6b8ad5a0f57

Fixed

666e90eae66a05e297e382d8dd58f2428d837deb

Affected versions

Other

GLIB_2_0_0

GLIB_2_0_1

GLIB_2_1_3

GLIB_2_1_4

GLIB_2_1_5

GLIB_2_2_0

GLIB_2_3_0

GLIB_2_3_1

GLIB_2_3_2

GLIB_2_3_3

GLIB_2_3_5

GLIB_2_3_6

GLIB_2_4_0

GLIB_2_4_1

GLIB_2_5_0

GLIB_2_5_1

GLIB_2_5_2

GLIB_2_5_3

GLIB_2_5_5

GLIB_2_5_6

GLIB_2_6_0

GLIB_2_6_1

GLIB_2_7_0

GLIB_2_7_1

GLIB_2_7_2

GLIB_2_7_3

GLIB_2_7_4

GLIB_2_7_5

GLIB_2_7_6

GLIB_2_7_7

GLIB_2_8_0

GLIB_2_8_1

GLIB_2_9_0

GLIB_2_9_1

GLIB_2_9_2

GLIB_2_9_3

GLIB_2_9_4

GTK_2_5_4

GTK_2_7_4

R_2_0_core

glib-2-0-branchpoint

glib-2-2-branchpoint

glib-2-4-branchpoint

glib-2-6-branchpoint

gobject_0_10_0

gobject_0_9_0

start

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-42717.json"