https://31d2f1a5.website-1u6.pages.dev/tags/ddos/Recent content in CRS Projecthttps://31d2f1a5.website-1u6.pages.dev/20190425/regular-expression-dos-weaknesses-in-crs/Thu, 25 Apr 2019 15:29:15 +0200<p>Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs:</p> <ul> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11387">CVE-2019–11387</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11388">CVE-2019–11388</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11389">CVE-2019–11389</a></li> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11390">CVE-2019–11390</a></li> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11391">CVE-2019–11391</a></li> </ul> <p>The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We just have not solved it yet - or have not been able to solve it yet.</p>