A security problem with the OWASP ModSecurity Core Rule Set has been brought to our attention recently. The CRS team is now working on a fix that will be released on Wednesday as 3.1.2, 3.2.1 and 3.3.2.
We will make sure to keep the changeset of these bugfix releases minimal in order to allow fast patching.
MITRE has assigned the number CVE-2021-35368 to this weakness. We consider the severity of the vulnerability to be HIGH.
Please note that this is a vulnerability caused by a problem in CRS. It has nothing to do with ModSecurity. It is thus independent of the rule engine.
Christian Folini, CRS Co-Lead
Christian Folini / [@ChrFolini]