CVE-2023-38199 – Multiple Content-Type Headers
The OWASP ModSecurity Core Rule Set (CRS) v3.3.4 does not detect the presence of multiple HTTP “Content-Type” header fields. As a result, on some platforms, it is possible to cause a CRS installation to process an HTTP request body differently (because of the different Content-Type) to how it would be processed by a backend web application. See the advisory at https://nvd.nist.gov/vuln/detail/CVE-2023-38199. Update: CRS version 3.3.5 has now been released to address this vulnerability.