VDB

CVE-2021-42717

CVE-2021-42717 PUBLISHED

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

EPSS 2.04% · 84.2th percentile

Risk Scores

EPSS Score
2.04%
84.2th percentile

Affected Products

VendorProductVersions
Bitnamimodsecurity22.0.0, 2.0.0, 2.0.0
Bitnamimodsecurity2.0.0
Bitnamimodsecurity22.0.0
Bitnamimodsecurity2.0.0, 2.0.0, 2.0.0

Timeline

  • CVE Published
  • Dec 8, 2021 EPSS Score
  • Feb 1, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 21, 2022 EPSS Score
  • Sep 8, 2022 EPSS Score
  • Nov 2, 2022 EPSS Score
  • Feb 19, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Jun 8, 2023 EPSS Score
  • Aug 1, 2023 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›