mailing list archives
CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 3 Apr 2013 08:23:19 -0400 (EDT)
Hello Kurt, Steve, Breno, vendors,
ModSecurity upstream has released v2.7.3 version:
correcting one security flaw (from ):
"It was reported that the XML files parser of ModSecurity,
a security module for the Apache HTTP Server, was vulnerable
to XML External Entity attacks. A remote attacker could
provide a specially-crafted XML file that, when processed
might lead to local files disclosure or, potentially,
excessive resources (memory, CPU) consumption."
Relevant upstream patch (seems to be the following):
Could you allocate a CVE id [*] for this?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
[*] According to: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ModSecurity
there doesn't seem to have been a CVE id allocated for this issue yet.
- CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Jan Lieskovsky (Apr 03)