Security 10719 Published by

Felipe Zipitría has announced the release of OWASP ModSecurity Core Rule Set 3.3.5. The OWASP ModSecurity Core Rule Set (CRS) is a collection of generic attack detection rules that can be used with ModSecurity or other compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with as few false alerts as possible.

OWASP ModSecurity Core Rule Set v3.3.5

This is the OWASP ModSecurity Core Rule Set version 3.3.5.

Important changes:

  • Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría)


  • Fix paranoia level-related scoring issue in rule 921422 (Walter Hop)
  • Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus)


  • Clean up redundant paranoia level tags (Ervin Hegedus)
  • Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría)
  • Move testing framework from ftw to go-ftw (Felipe Zipitría)

Full Changelog v3.3.4...v3.3.5

Release v3.3.5 · coreruleset/coreruleset