Description

We have a lot of absolutely legal requests from real users with User-Agent like this:
Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36

These requests are blocked by 932239 with reason:
Matched Data: ; PG found within REQUEST_HEADERS:user-agent: Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36

How to reproduce the misbehavior (-> curl call)

curl -X GET host.with.pl2.enabled -kL \
-H "User-Agent: Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36" \
-H "Host: host.with.pl2.enabled"

Your Environment

• CRS version (e.g., v3.3.4):4.3.0
• Paranoia level setting (e.g. PL1) :PL2
• ModSecurity version (e.g., 2.9.6): ModSecurity v3.0.12 (Linux)
• Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): ingress-nginx controller v1.10.0
• Operating System and version: n/a

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.