Fluid Attacks Database

Description

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	modsecurity-apache	=2.9.3-3 \|\| >=0 <2.9.3-3+deb11u1	2.9.3-3+deb11u1
debian 12	modsecurity	>=0 <3.0.6-1	3.0.6-1
debian 12	modsecurity-apache	>=0 <2.9.5-1	2.9.5-1
debian 13	modsecurity	>=0 <3.0.6-1	3.0.6-1
debian 11	modsecurity	=3.0.10-1 \|\| =3.0.11-1 \|\| =3.0.12-1 \|\| =3.0.12-1.1 \|\| =3.0.12-1.1~exp1 \|\| =3.0.13-1 \|\| =3.0.14-1 \|\| =3.0.4-2 \|\| =3.0.6-1 \|\| =3.0.8-1 \|\| =3.0.8-2 \|\| =3.0.8-3 \|\| =3.0.9-1	-
debian 14	modsecurity-apache	>=0 <2.9.5-1	2.9.5-1
debian 14	modsecurity	>=0 <3.0.6-1	3.0.6-1
debian 13	modsecurity-apache	>=0 <2.9.5-1	2.9.5-1

Aliases

1. CVE-2021-427172. NVD-2021-427173. OSV-DEBIAN-2021-427174. OSV-2021-427175. SECURITY-TRACKER-CVE-2021-42717

References

1. https://github.com/EkamSinghWalia/Detection-and-Mitigation-script-for-CVE-2021-42717

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.