The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5.
For downloads and installation instructions, please refer to the Installation page.
This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers.
Aside from the security fix, a few other minor, non-breaking changes and improvements are also included in this release. The full changes are as follows:
- Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría)
- Fix paranoia level-related scoring issue in rule 921422 (Walter Hop)
- Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus)
- Clean up redundant paranoia level tags (Ervin Hegedus)
- Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría)
- Move testing framework from ftw to go-ftw (Felipe Zipitría)
- Update sponsors list and copyright notices (Felipe Zipitría)
Please feel free to contact us with any questions or concerns about this release via the usual channels: directly via the CRS GitHub repository, in our Slack channel (#coreruleset on owasp.slack.com), or on our mailing list.
Andrew Howe on behalf of the Core Rule Set development team