Releases: coreruleset/coreruleset
Releases · coreruleset/coreruleset
v4.19.0
v4.19.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
⭐ Important changes
- refactor: 920340 - delete 920341 by @touchweb-vincent in #4268
🆕 New features and detections 🎉
🧰 Other Changes
- fix: dont block
.urlfile extension by @EsadCetiner in #4259 - fix(933135): wrong score variable by @touchweb-vincent in #4262
- fix(933153): missing inbound_anomaly_score by @touchweb-vincent in #4260
- fix(953100): remove generic SQLSTATE error codes causing false positives by @Elnadrion in #4257
- feat: add stricter sibling 954101 to 954100 by @franbuehler in #4258
- fix(942550): cleanup regex by @fzipi in #3767
- fix: reduce false positives with php response rules by @EsadCetiner in #4272
- fix: don't block on all question marks (942550 PL-1) by @EsadCetiner in #4264
- feat: whitelist application/csp-report content-type header by @Elnadrion in #4274
New Contributors
- @touchweb-vincent made their first contribution in #4262
- @Elnadrion made their first contribution in #4257
Full Changelog: v4.18.0...v4.19.0
Contributors
touchweb-vincent, fzipi, and 4 other contributors
Assets 8
v4.18.0
v4.18.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🆕 New features and detections 🎉
- feat: add
application/reports+jsoncontent-type header by @Xhoenix in #4230 - feat: update unix commands list by @EsadCetiner in #4215
- feat: added ssh commands by @Xhoenix in #4249
- feat: detect
rmtandrmt-tarby @theseion in #4242
🧰 Other Changes
- feat: Add product name tags by @TimDiam0nd in #3960
- fix: remove dot star by @Xhoenix in #4235
- fix(942370): remove dot star by @Xhoenix in #4234
- fix: avoid matching non-ruby errors and source code by @EsadCetiner in #4224
- fix: don't replace cmdline suffixes for 932220 and 932250 by @theseion in #4231
Full Changelog: v4.17.1...v4.18.0
Contributors
theseion, TimDiam0nd, and 2 other contributors
Assets 8
v4.17.1
v4.17.1
This tag was signed with the committer’s verified signature.
The key has expired.
Contributors
Xhoenix
Assets 8
v4.17.0
v4.17.0
This tag was signed with the committer’s verified signature.
The key has expired.
Important
This release contains a new rule to detect LaTeX injections which was not supposed to be released as it is too prone to false positives in it's current state. Please use v4.17.1 instead.
What's Changed
⭐ Important changes
🆕 New features and detections 🎉
- feat: added detection for ASP.NET errors by @Xhoenix in #4092
- feat: added detection for RCE via Referer header by @Xhoenix in #3993
- feat: added detection for LaTeX injection by @Xhoenix in #4206
- feat: added detection for ruby errors and code leakage by @Xhoenix in #4089
🧰 Other Changes
- fix(951xxx): remove dot star by @Xhoenix in #4171
- fix: use word bondary on 952110 to avoid matching non-java errors by @EsadCetiner in #4177
- feat: Update java-classes.data by @KIC-8462852 in #4173
- fix(931130): update file uri with single slash by @fzipi in #4193
- fix(932281): avoid matching on json payloads by @EsadCetiner in #4187
- fix: 932280/932281 bypass by @Xhoenix in #4207
New Contributors
- @KIC-8462852 made their first contribution in #4173
- @pre-commit-ci[bot] made their first contribution in #4185
- @pha6d made their first contribution in #4203
Full Changelog: v4.16.0...v4.17.0
Contributors
fzipi, pha6d, and 4 other contributors
Assets 8
v4.16.0
v4.16.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🆕 New features and detections 🎉
- feat: remediation for Python SSTI by @TheRubick in #4145
- fix: update rule 942560 by @Xhoenix in #4161
- feat: detect generic config filenames by @EsadCetiner in #4102
- feat: update
java-errors.databy @Xhoenix in #4113 - feat: added rule to detect Bash Brace Expansion by @Xhoenix in #3780
- feat: added MongoDB operators by @Xhoenix in #4162
- feat: added zmodload and sudo-rs by @Xhoenix in #4143
🧰 Other Changes
- fix(941160): remove dot star by @fzipi in #4155
- fix(934140): remove dot star by @fzipi in #4165
- fix(932370): remove dot star by @fzipi in #4166
- fix(955xxx): remove dot star by @Xhoenix in #4169
- fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) by @EsadCetiner in #3840
- fix: create a stricter sibling to 932370 and move
atto PL-2 (932370 PL-1, 932371 PL-2) by @EsadCetiner in #4015 - fix(942340): remove dot star by @fzipi in #4164
- refactor(942340): move to regex assembly by @fzipi in #4014
- fix(933160): remove dot star by @fzipi in #4167
New Contributors
- @TheRubick made their first contribution in #4145
Full Changelog: v4.15.0...v4.16.0
Contributors
fzipi, TheRubick, and 2 other contributors
Assets 8
v4.15.0
v4.15.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🆕 New features and detections 🎉
- feat: add User-Agent and Referer into targets (942280 PL1) by @azurit in #4115
- feat: update
java-classes.databy @Xhoenix in #4080 - feat: block database yaml files by @EsadCetiner in #4130
🧰 Other Changes
- fix: false positive with
title_strip_tagsby movingstrip_tagsto 933160 by @EsadCetiner in #4105 - fix: remove
selfcommand by @EsadCetiner in #4111 - fix: remove rc shell to reduce FPs by @theseion in #4125
- feat: remove unnecessary character class from 933151 by @TimDiam0nd in #4135
- fix: false positives with session tokens/cookies 933150 by @EsadCetiner in #4142
- fix: add word ending to unix command sendmail (932235 PL1, 932236 PL2, 932239 PL2, 932260 PL1) by @franbuehler in #4141
- feat: 933151 change from capture and double
pmfto regex by @TimDiam0nd in #4139 - feat: 933120 change from capture and double
pmfto regex by @TimDiam0nd in #4138 - feat: remove exclusion of deprecated
__utmcookies by @theseion in #4151
Full Changelog: v4.14.0...v4.15.0
Contributors
theseion, azurit, and 4 other contributors
Assets 8
v4.14.0
v4.14.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🆕 New features and detections 🎉
- feat: detect ASP web shells by @Xhoenix in #4063
- feat: detect compressed database dumps by @EsadCetiner in #4082
- feat: detect javascript methods import fetch console.log
console.dirby @EsadCetiner in #4076
🧰 Other Changes
- fix: fixing FPs related to rule 951220 by @azurit in #4079
- fix: don't block ttf font files by @EsadCetiner in #4081
- fix: 932270 FP by @Xhoenix in #3917
- fix(954100): detect forward slash in path by @Xhoenix in #4094
- fix: remove
.applicationfrom restricted extensions by @EsadCetiner in #4103 - fix: 44J-250329 by @EsadCetiner in #4107
Full Changelog: v4.13.0...v4.14.0
Contributors
azurit, Xhoenix, and EsadCetiner
Assets 8
v4.13.0
v4.13.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
⭐ Important changes
🆕 New features and detections 🎉
- feat: block header related to CVE-2025-29927 (Next.js) by @azurit in #4053
- feat: added new XSS payloads by @Xhoenix in #4055
- feat: add potential malicious file extensions into tx.restricted_extensions by @Xhoenix in #4068
- feat: add additional files commonly accessed by bots by @EsadCetiner in #4069
- feat: adding .dist and .dpkg-dist into tx.restricted_extensions by @azurit in #4057
- feat: add more default session cookie names by @Xhoenix in #4062
🪦 Rule removals
🧰 Other Changes
- fix(934130): extend prototype pollution payload by @Xhoenix in #4036
- fix: rule 930110 is not supposed to match bare '..' without (back)slashes by @azurit in #4050
- fix: use boundary to fix false positive with email
firstname.dockery@host.tldby @EsadCetiner in #4045 - feat: refresh restricted-upload.data by @S0obi in #4046
- fix: tag inconsistency per file by @Xhoenix in #4031
- fix: added pre-check of unset TX variable by @airween in #4066
- fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by @EsadCetiner in #4019
New Contributors
Full Changelog: v4.12.0...v4.13.0
Contributors
airween, azurit, and 4 other contributors
Assets 8
v4.12.0
v4.12.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🆕 New features and detections 🎉
- feat: prevent V1 cookie format use by @fzipi in #4006
- feat: added new restricted files for openstack and docker compose by @azurit in #4021
🧰 Other Changes
- fix: multipart header tag consistency by @Xhoenix in #3992
- fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) by @EsadCetiner in #3735
- docs: add warning about default charsets modification by @fzipi in #4003
- fix: response splitting rules and tests by @theseion in #4009
- fix(933160): use better regex by @fzipi in #4010
- fix: move fopen to 933160 to resolve fp with
RootAndLeafOpenCamera.jpg(933150 PL-1, 933160 PL-1) by @EsadCetiner in #4016 - fix(941210): update log message to reflect rule javascript word detection by @fzipi in #4023
- fix: remove .env from lfi-os-files.data by @theseion in #4024
New Contributors
Full Changelog: v4.11.0...v4.12.0
Contributors
theseion, azurit, and 4 other contributors
Assets 8
v4.11.0
v4.11.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🪦 Rule removals
🧰 Other Changes
- fix: remove aliases man, mi, si and resolve positives (932125 PL1) by @franbuehler in #3971
- fix: remove where, if, for and vol and resolve false positives (932380 PL1) by @franbuehler in #3972
- fix: make 932300 actually case-insensitive by @theseion in #3977
- fix: remove sql function names to resolve false positives (942151 PL1) by @franbuehler in #3973
- fix: issue 3809 by @Xhoenix in #3983
Full Changelog: v4.10.0...v4.11.0
Contributors
theseion, dune73, and 2 other contributors