CVE-2021-35368 Overview
CVE-2021-35368 is a critical security bypass vulnerability affecting OWASP ModSecurity Core Rule Set (CRS), a widely deployed open-source Web Application Firewall (WAF) rule set. The vulnerability allows attackers to completely bypass request body inspection by appending a trailing pathname to HTTP requests. This effectively renders the WAF protection ineffective, enabling malicious payloads such as SQL injection, cross-site scripting, and remote code execution attacks to reach backend applications undetected.
The vulnerability was present in the CRS codebase for several years before discovery, affecting versions 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2. Given the widespread deployment of ModSecurity CRS in production environments protecting web applications, this vulnerability represents a significant security risk as it undermines the core protection mechanism of the WAF.
Critical Impact
Complete WAF bypass allowing attackers to deliver malicious payloads to protected applications without detection. This vulnerability negates the security benefits of ModSecurity CRS deployment.
Affected Products
- OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2
- OWASP ModSecurity Core Rule Set 3.2.x before 3.2.1
- OWASP ModSecurity Core Rule Set 3.3.x before 3.3.2
- Fedora 36 and 37 (with affected CRS packages)
- Debian Linux 10.0 (with affected CRS packages)
Discovery Timeline
- 2021-06-30 - OWASP published security advisory for CVE-2021-35368
- 2021-11-05 - CVE CVE-2021-35368 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-35368
Vulnerability Analysis
This vulnerability is classified as a request body bypass issue that exploits how the OWASP ModSecurity Core Rule Set handles HTTP request parsing. The CRS provides protection rules that inspect request bodies for malicious content such as SQL injection, XSS payloads, and command injection attempts. However, due to improper handling of trailing pathnames in HTTP requests, attackers can craft requests that cause the CRS rules to skip body inspection entirely.
When a specially crafted request with a trailing pathname is sent to a ModSecurity-protected application, the rule engine fails to properly evaluate the request body against the configured security rules. This means that any malicious payload embedded in the request body passes through to the backend application without triggering any WAF alerts or blocks.
The vulnerability is particularly severe because it operates at the network level, requires no authentication or user interaction, and can be exploited remotely against any application protected by vulnerable CRS versions. The attack complexity is low, making it trivial for attackers to weaponize.
Root Cause
The root cause of CVE-2021-35368 lies in the CRS rule logic that processes HTTP requests before applying security inspections. The rule set contains a flaw in how it determines which requests should have their bodies inspected. When processing requests with certain trailing pathname patterns, the CRS incorrectly classifies the request in a way that bypasses the body inspection phase.
This architectural flaw was present in the CRS codebase for several years, as reported in PortSwigger's coverage. The vulnerability highlights the challenges of maintaining complex rule sets that must handle the wide variety of HTTP request formats while maintaining security coverage.
Attack Vector
The attack vector for CVE-2021-35368 is network-based and can be executed remotely without any privileges or user interaction. An attacker crafts an HTTP request containing a trailing pathname that triggers the bypass condition, then includes malicious payloads in the request body. The payload can be any attack type that CRS would normally block, including:
- SQL injection payloads targeting database backends
- Cross-site scripting (XSS) payloads for browser exploitation
- Remote code execution commands
- Path traversal sequences
- XML/JSON injection attacks
The attack exploits the trailing pathname parsing behavior to evade body inspection. While the specific technical implementation involves manipulating HTTP request structure to trigger the bypass condition, attackers can deliver any payload that would normally be blocked by CRS rules. For detailed technical information, refer to the Core Rule Set CVE-2021-35368 advisory.
Detection Methods for CVE-2021-35368
Indicators of Compromise
- HTTP requests with unusual trailing pathname patterns that differ from normal application traffic
- Increased attack traffic reaching backend applications that should have been blocked by the WAF
- Application-level security events (SQL errors, XSS attempts) that were not preceded by WAF blocks
- Log analysis showing requests that bypassed CRS inspection rules
Detection Strategies
- Review ModSecurity audit logs for requests that reached backend applications without triggering expected security rules
- Implement backend application logging to detect attacks that may have bypassed WAF protection
- Compare CRS version in deployment against known vulnerable versions (3.1.x < 3.1.2, 3.2.x < 3.2.1, 3.3.x < 3.3.2)
- Deploy network-level monitoring to detect anomalous HTTP request patterns with trailing pathnames
Monitoring Recommendations
- Enable comprehensive logging at both WAF and application layers to correlate security events
- Implement anomaly detection for HTTP requests with unusual URI structures
- Monitor backend application security logs for attack patterns that should have been blocked by CRS
- Set up alerts for increases in application-layer attacks that may indicate WAF bypass attempts
How to Mitigate CVE-2021-35368
Immediate Actions Required
- Upgrade OWASP ModSecurity Core Rule Set to patched versions: 3.1.2 or later, 3.2.1 or later, or 3.3.2 or later
- Verify CRS version currently deployed using configuration files or package management commands
- Review security logs for potential exploitation attempts during the vulnerable period
- Consider deploying additional security layers (application-level input validation) while patching
Patch Information
OWASP has released patched versions of the Core Rule Set that address this vulnerability. Organizations should upgrade to the following minimum versions:
- CRS 3.1.x users: Upgrade to 3.1.2 or later
- CRS 3.2.x users: Upgrade to 3.2.1 or later
- CRS 3.3.x users: Upgrade to 3.3.2 or later
For distributions, refer to vendor-specific advisories:
- Debian LTS Security Announcement
- Gentoo GLSA 2023-05-25
- Fedora users should update via standard package management
Workarounds
- If immediate patching is not possible, consider implementing additional upstream filtering to normalize HTTP requests before they reach ModSecurity
- Deploy application-level security controls as a defense-in-depth measure
- Implement strict input validation at the application layer to mitigate potential bypass attacks
- Consider temporarily increasing logging verbosity to detect potential exploitation attempts
# Verify current CRS version
grep -r "version" /etc/modsecurity/crs-setup.conf
# Check package version on Debian/Ubuntu
apt-cache policy modsecurity-crs
# Check package version on Fedora/RHEL
rpm -q mod_security_crs
# Update CRS on Debian/Ubuntu
sudo apt update && sudo apt install modsecurity-crs
# Update CRS on Fedora
sudo dnf update mod_security_crs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
