Wednesday, April 9, 2025
Follow us On Linkedin
Homecyber securityOWASP ModSecurity Core Rule 3.3.5 Released - What’s New!

OWASP ModSecurity Core Rule 3.3.5 Released – What’s New!

cyber securityCyber Security News

Published on

By Gurubaran
OWASP ModSecurity Core Rule 3.3.5 Released – What’s New!

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

The CRS v3.3.5 release has been announced by the OWASP ModSecurity Core Rule Set (CRS) team.

The OWASP ModSecurity Core Rule Set (CRS) is a set of general attack detection rules that may be used with ModSecurity or other compatible web application firewalls.

The CRS seeks to guard online applications against a variety of assaults, including the OWASP Top Ten, while producing the few false alarms as possible.

- Advertisement - Google News

The CRS offers defense against numerous popular attack types, such as SQL Injection, Cross Site Scripting, Local File Inclusion, and others.

Fixes To CVE-2023-38199 – Multiple Content-Type Headers

On March 24, 2023, the ModSecurity project first raised this vulnerability to the attention of the CRS project.

Multiple HTTP “Content-Type” header fields are not detected by the OWASP ModSecurity Core Rule Set (CRS) v3.3.4.

Because of this, on some platforms, a CRS installation may interpret an HTTP request body differently (as a result of the differing Content-Type) than a backend web application would.

The company later determined that the CRS reference platform (ModSecurity 2.9.x on Apache 2.4) was unaffected.

To resolve this vulnerability, CRS 3.3.5 has just been released.

“This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers”, the Core Rule Set development team said in its advisory.

Other Changes and Improvements in CRS v3.3.5 Release

  • Fix paranoia level-related scoring issue in rule 921422 (Walter Hop)
  • Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus)
  • Clean up redundant paranoia-level tags (Ervin Hegedus)
  • Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría)
  • Move testing framework from ftw to go-ftw (Felipe Zipitría)
  • Update sponsors list and copyright notices (Felipe Zipitría)

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

cyber security

20 Best Incident Response Tools in 2025

In today's digital era, organizations face an ever-growing threat landscape, with cyberattacks, data breaches,...
Chrome

Chrome Use-After-Free Vulnerability Enables Remote Code Attacks

Google has rolled out a critical update for its Chrome browser, addressing a high-severity...
CVE/vulnerability

Windows CLFS 0-Day Vulnerability Exploited in the Wild

Microsoft has disclosed an active exploitation of a zero-day vulnerability in the Windows Common...
CVE/vulnerability

Kibana Releases Security Patch to Fix Code Injection Vulnerability

Elastic, the company behind Kibana, has released critical security updates to address a high-severity...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

cyber security

20 Best Incident Response Tools in 2025

In today's digital era, organizations face an ever-growing threat landscape, with cyberattacks, data breaches,...
Chrome

Chrome Use-After-Free Vulnerability Enables Remote Code Attacks

Google has rolled out a critical update for its Chrome browser, addressing a high-severity...
CVE/vulnerability

Windows CLFS 0-Day Vulnerability Exploited in the Wild

Microsoft has disclosed an active exploitation of a zero-day vulnerability in the Windows Common...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved