CVE-2023-28882: 
NixOS vulnerability analysis and mitigation

Trustwave ModSecurity versions 3.0.5 through 3.0.8 before 3.0.9 contains a vulnerability that allows a denial of service condition through worker crash and unresponsiveness. The vulnerability was discovered in early 2023 and was assigned CVE-2023-28882. The issue affects the Transaction class in ModSecurity for certain configurations (Trustwave Release).

The vulnerability stems from uninitialized member variables in the Transaction class, which can result in a segmentation fault under specific configurations with certain inputs. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD Database).

When exploited, this vulnerability can cause a worker process to crash through a segmentation fault. If multiple such requests are sent rapidly, it can lead to the server becoming slow or completely unresponsive to legitimate requests, effectively creating a denial of service condition (Trustwave Release).

The vulnerability has been fixed in ModSecurity version 3.0.9. Organizations running affected versions (3.0.5 through 3.0.8) should upgrade to version 3.0.9 or later to mitigate this security issue (Trustwave Release).