Skip to main content

General availability: Security Update for Application Gateway WAF CVE-2023-50164

Published date: December 24, 2023

Attention all Azure regional WAF customers: We have deployed a new managed rule to address the security vulnerability CVE-2023-50164. This security vulnerability could potentially impact your application.

The fix has been rolled out for the ruleset versions listed below.  If you believe that your application is vulnerable to this exploit we recommend changing the action of this rule from log to block. Please note that anomaly score action is not supported for this rule.

Default Ruleset (DRS): 2.1

  • ID: 99001017
  • Rule Group: MS-ThreatIntel-CVEs
  • State: Enabled
  • Action: Log

Core Ruleset (CRS): 3.2, 3.1

  • ID: 800114
  • Rule Group: KNOWN-CVES
  • State: Enabled
  • Action: Log
  • Note: This rule is only supported on WAFv2. Older WAFs running CRS 3.1 only support logging mode for this rule. To enable block mode you will need to upgrade to a newer ruleset version.

Thank you for choosing Azure for your web security needs.

  • Application Gateway
  • Web Application Firewall
  • Features
  • Services
  • Security