Sunday, March 23, 2025
Follow us On Linkedin
Homecyber securityOWASP ModSecurity Core Rule 3.3.5 Released - What’s New!

OWASP ModSecurity Core Rule 3.3.5 Released – What’s New!

cyber securityCyber Security News

Published on

By Gurubaran
OWASP ModSecurity Core Rule 3.3.5 Released – What’s New!

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

The CRS v3.3.5 release has been announced by the OWASP ModSecurity Core Rule Set (CRS) team.

The OWASP ModSecurity Core Rule Set (CRS) is a set of general attack detection rules that may be used with ModSecurity or other compatible web application firewalls.

The CRS seeks to guard online applications against a variety of assaults, including the OWASP Top Ten, while producing the few false alarms as possible.

The CRS offers defense against numerous popular attack types, such as SQL Injection, Cross Site Scripting, Local File Inclusion, and others.

Fixes To CVE-2023-38199 – Multiple Content-Type Headers

On March 24, 2023, the ModSecurity project first raised this vulnerability to the attention of the CRS project.

Multiple HTTP “Content-Type” header fields are not detected by the OWASP ModSecurity Core Rule Set (CRS) v3.3.4.

Because of this, on some platforms, a CRS installation may interpret an HTTP request body differently (as a result of the differing Content-Type) than a backend web application would.

The company later determined that the CRS reference platform (ModSecurity 2.9.x on Apache 2.4) was unaffected.

To resolve this vulnerability, CRS 3.3.5 has just been released.

“This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers”, the Core Rule Set development team said in its advisory.

Other Changes and Improvements in CRS v3.3.5 Release

  • Fix paranoia level-related scoring issue in rule 921422 (Walter Hop)
  • Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus)
  • Clean up redundant paranoia-level tags (Ervin Hegedus)
  • Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría)
  • Move testing framework from ftw to go-ftw (Felipe Zipitría)
  • Update sponsors list and copyright notices (Felipe Zipitría)

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

cyber security

Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware

In a recent surge of sophisticated cyberattacks, threat actors have been utilizing fake CAPTCHA...
cyber security

Researchers Uncover FIN7’s Stealthy Python-Based Anubis Backdoor

Researchers have recently discovered a sophisticated Python-based backdoor, known as the Anubis Backdoor, deployed...
cyber security

Researchers Reveal macOS Vulnerability Exposing System Passwords

A recent article by Noah Gregory has highlighted a significant vulnerability in macOS, identified...
Cloud

JumpServer Flaws Allow Attackers to Bypass Authentication and Gain Full Control

JumpServer, a widely used open-source Privileged Access Management (PAM) tool developed by Fit2Cloud, has...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

cyber security

Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware

In a recent surge of sophisticated cyberattacks, threat actors have been utilizing fake CAPTCHA...
cyber security

Researchers Uncover FIN7’s Stealthy Python-Based Anubis Backdoor

Researchers have recently discovered a sophisticated Python-based backdoor, known as the Anubis Backdoor, deployed...
cyber security

Researchers Reveal macOS Vulnerability Exposing System Passwords

A recent article by Noah Gregory has highlighted a significant vulnerability in macOS, identified...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved