CyberSec.Space Logo
Back to CVE Browser

CVE-2020-22669

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1360%
EPSS Percentile9.38th
PublishedSep 2, 2022
Last ModifiedNov 3, 2025

Vulnerability Description

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.

Affected Platforms (CPE)

πŸ“¦
Owasp

Owasp Modsecurity Core Rule Set

= 3.2.0
πŸ’»
Debian

Debian Linux

= 10.0

References & Advisories

πŸ”— https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727
πŸ”— https://github.com/coreruleset/coreruleset/pull/1793
πŸ”— https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
πŸ”— https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727
πŸ”— https://github.com/coreruleset/coreruleset/pull/1793
πŸ”— https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
πŸ”— https://lists.debian.org/debian-lts-announce/2025/08/msg00004.html

Related Vulnerabilities

CVE-2021-353689.8

OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypas...

CVE-2018-163847.5

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {...

CVE-2019-134647.5

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PH...

CVE-2019-113895.3

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf all...