CVE-2018-16384: SQL Injection
First published: Mon Sep 03 2018(Updated: )
A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Owasp Owasp Modsecurity Core Rule Set | <=3.0.2 | |
| Owasp Owasp Modsecurity Core Rule Set | =3.1.0-rc1 | |
| Owasp Owasp Modsecurity Core Rule Set | =3.1.0-rc3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-16384?
CVE-2018-16384 is a vulnerability that allows for a SQL injection bypass in the OWASP ModSecurity Core Rule Set.
How does CVE-2018-16384 work?
CVE-2018-16384 works by exploiting a SQL injection vulnerability in the OWASP ModSecurity Core Rule Set.
What is the severity of CVE-2018-16384?
The severity of CVE-2018-16384 is high with a CVSS score of 7.5.
Which software versions are affected by CVE-2018-16384?
The OWASP ModSecurity Core Rule Set versions 3.0.2, 3.1.0-rc1, and 3.1.0-rc3 are affected by CVE-2018-16384.
How can I fix CVE-2018-16384?
To fix CVE-2018-16384, it is recommended to update to a patched version of the OWASP ModSecurity Core Rule Set.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/owasp
- canonical/owasp owasp modsecurity core rule set
- version/owasp owasp modsecurity core rule set/3.0.2
- version/owasp owasp modsecurity core rule set/3.1.0-rc1
- version/owasp owasp modsecurity core rule set/3.1.0-rc3