OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php. This can lead to a rules bypass. This vulnerability is fixed in 3.3.3.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/jptosso/coraza-waf(Go) | 0 | 3.3.3 | N/A |
| github.com/corazawaf/coraza/v3(Go) | 0 | 3.3.3 | N/A |
CVSS Metrics
