Fluid Attacks Database

Description

ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	modsecurity	>=0 <3.0.4-1	3.0.4-1
debian 11	modsecurity	>=0 <3.0.4-1	3.0.4-1
debian 12	modsecurity	>=0 <3.0.4-1	3.0.4-1
debian 14	modsecurity	>=0 <3.0.4-1	3.0.4-1

Aliases

1. CVE-2019-250432. NVD-2019-250433. OSV-DEBIAN-2019-250434. OSV-2019-250435. SECURITY-TRACKER-CVE-2019-25043

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.