CVE-2021-42717

Description

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

How to fix CVE-2021-42717

To remediate CVE-2021-42717, upgrade the affected package to a fixed version below.

• —upgrade to 2.9.5 or later
• —upgrade to 2.9.5 or later
• —no fix listed
• —upgrade to 2.9.3-3+deb11u1 or later
• —upgrade to 2.9.1-2+deb9u1 or later
• —upgrade to 2.9.3-1+deb10u1 or later

Is CVE-2021-42717 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• >= 2.0.0, < 2.9.5
• >= 2.0.0, < 2.9.5
• from 0
• from 0, < 2.9.3-3+deb11u1
• from 0, < 2.9.1-2+deb9u1
• from 0, < 2.9.3-1+deb10u1

CVSS scores

References (6)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-42717
• WEBlists.debian.org/debian-lts-announce/2022/05/msg00042.html
• WEBnvd.nist.gov/vuln/detail/CVE-2021-42717
• WEBwww.debian.org/security/2021/dsa-5023
• WEB