Description

How to reproduce the misbehavior (-> curl call)

curl -H "x-format-output: txt-matched-rules" "https://sandbox.coreruleset.org/?bla=time%20express"

however "time" (which is a unix command) is allowed and express is allowed as well, but the combination "time express" gets flagged as unix RCE.

Logs

932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

Your Environment

• CRS-Docker: 4.2.0
• Paranoia level setting (e.g. PL1) : PL1
• Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): nginx
• Operating System and version: ubuntu 22.04

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.