There is a severe security issue in our rule set. It has been present since the release of CRS 3.1.0 and was recently brought to our attention. Here is the official advisory that we are also publishing as CVE-2021-35368 via MITRE (as usual, MITRE will take a few days until they publish this). Offical Advisory …
CVE-2021-35368 – CRS Request Body Bypass (Update) Read More »
The OWASP ModSecurity Core Rule Set team is proud to announce the final release for CRS v3.3.0. For downloads and installation instructions, please see the Installation page. This release packages many changes, such as: Block backup files ending with ~ in filename (Andrea Menin) Detect ffuf vuln scanner (Will Woodson) Detect Nuclei vuln scanner (azurit) …
OWASP ModSecurity Core Rule Set v3.3.0 available Read More »
The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 1 for the upcoming CRS v3.3.0 release. The release candidate is available at: https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.tar.gz https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.zip This release packages many changes, such as: New rule to detect LDAP injection New HTTP Splitting rule Block backup files ending with ~ in filename Detect …
OWASP ModSecurity Core Rule Set v3.3.0 Release Candidate 1 available Read More »
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.zip https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.tar.gz This release represents a very big step forward in terms of both capabilities and protections including: Improved compatibility with ModSecurity 3.x Improved CRS docker …
Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0-RC2 Read More »