CVE-2022-39955: 
ModSecurity vulnerability analysis and mitigation

The OWASP ModSecurity Core Rule Set (CRS) vulnerability (CVE-2022-39955) was discovered in September 2022. This vulnerability allows a partial rule set bypass through a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. The vulnerability affects legacy CRS versions 3.0.x and 3.1.x, as well as versions 3.2.1 and 3.3.2 (CRS Project).

The vulnerability enables attackers to bypass the configurable CRS Content-Type header charset allow list by declaring multiple Content-Type charset names. When exploited, an encoded payload can bypass CRS detection and may then be decoded by the backend. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL by NVD and 7.3 HIGH by Switzerland Government Common Vulnerability Program (NVD).

When successfully exploited, this vulnerability allows attackers to bypass the web application firewall's protection mechanisms. The bypass specifically affects the processing of HTTP Content-Type headers, potentially allowing malicious payloads to reach the backend server without being detected by the security rules (CRS Project).

Users and integrators are advised to upgrade to CRS versions 3.2.2 and 3.3.3 or later to address this vulnerability. For Debian 10 buster, the fix has been implemented in version 3.2.3-0+deb10u3. System administrators should review their ModSecurity configuration, particularly the content in /etc/modsecurity/modsecurity.conf, against the updated recommended configuration (Debian LTS).