https://6a9cf20d.website-1u6.pages.dev/tags/cve-2023-38199/Recent content in CRS Projecthttps://6a9cf20d.website-1u6.pages.dev/20230717/cve-2023-38199-multiple-content-type-headers/Mon, 17 Jul 2023 10:57:39 +0200<p>The OWASP ModSecurity Core Rule Set (CRS) v3.3.4 does not detect the presence of multiple HTTP &ldquo;Content-Type&rdquo; header fields. As a result, on some platforms, it is possible to cause a CRS installation to process an HTTP request body differently (because of the different Content-Type) to how it would be processed by a backend web application.</p> <p>See the advisory at <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-38199">https://nvd.nist.gov/vuln/detail/CVE-2023-38199</a>.</p> <p><strong>Update:</strong> <a href="https://coreruleset.org/20230724/crs-version-3-3-5-released/">CRS version 3.3.5 has now been released</a> to address this vulnerability.</p>