CVEs-PoC/2021/CVE-2021-42717.md

### [CVE-2021-42717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42717)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

### POC

#### Reference
- https://www.oracle.com/security-alerts/cpuapr2022.html

#### Github
- https://github.com/EkamSinghWalia/Detection-and-Mitigation-script-for-CVE-2021-42717
- https://github.com/nomi-sec/PoC-in-GitHub