CVE-2021-42717

Published: Dec 7, 2021Modified: Jul 3, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

Affected (10)

Products: Owasp: Modsecurity · Trustwave: Modsecurity · F5: Nginx Modsecurity Waf · +2 more

Show all products

Owasp: Modsecurity · Trustwave: Modsecurity · F5: Nginx Modsecurity Waf · Debian: Debian Linux · Oracle: Http Server, Zfs Storage Appliance Kit

1 product

1 product

1 product

Nginx Modsecurity Waf

1 product

2 products

Zfs Storage Appliance Kit

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Owasp Modsecurity	From 3.0.0 to 3.0.6
Trustwave Modsecurity	From 2.0.0 to 2.9.5

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
F5 Nginx Modsecurity Waf	Version r24
F5 Nginx Modsecurity Waf	Version r25

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Oracle Http Server	Version 12.2.1.3.0
Oracle Http Server	Version 12.2.1.4.0
Oracle Zfs Storage Appliance Kit	Version 8.8

Related CWEs

Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

References (8)

https://lists.debian.org/debian-lts-announce/2022/05/msg00042.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://www.debian.org/security/2021/dsa-5023

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/

Source: cve@mitre.org

ExploitMitigationVendor Advisory

https://lists.debian.org/debian-lts-announce/2022/05/msg00042.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.debian.org/security/2021/dsa-5023

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationVendor Advisory

Timeline

No history available yet.