CVE-2021-42717 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-42717 PUBLISHED

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

EPSS 2.04% · 83.7th percentile

Risk Scores

EPSS Score

2.04%

83.7th percentile

Affected Products

Vendor	Product	Versions
Bitnami	modsecurity2	2.0.0, 2.0.0, 2.0.0
Bitnami	modsecurity	2.0.0
Bitnami	modsecurity2	2.0.0
Bitnami	modsecurity	2.0.0, 2.0.0, 2.0.0

Timeline

Dec 7, 2021 CVE Published
Dec 8, 2021 EPSS Score
Jan 31, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 19, 2022 EPSS Score
Sep 5, 2022 EPSS Score
Oct 29, 2022 EPSS Score
Feb 14, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Jun 2, 2023 EPSS Score
Jul 26, 2023 EPSS Score

References

Open in Interactive Console →