Vulnerability Details CVE-2018-16384
A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2018-16384
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:2.2.5
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:2.2.6
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:2.2.7
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:2.2.8
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:2.2.9
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:3.0.0
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:3.0.1
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:3.0.2
-
cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:3.1.0