CVE-2019-10054 — Improper Input Validation in Suricata

CWE-20 — Improper Input Validation CWE-191 — Integer Underflow (Wrap or Wraparound)CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 34.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oisf Suricata Suricata-ids Suricata

Timeline

PublishedAug 28

Latest updateMay 24

Description

An issue was discovered in Suricata 4.1.3. The function process_reply_record_v3 lacks a check for the length of reply.data. It causes an invalid memory access and the program crashes within the nfs/nfs3.rs file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debianoisf/suricata< 1:4.1.4-1+3

▶NVDsuricata-ids/suricata4.1.3

🔴Vulnerability Details

GHSA

GHSA-wm52-jfxr-m7x9: An issue was discovered in Suricata 4↗2022-05-24

▶

CVEList

CVE-2019-10054: An issue was discovered in Suricata 4↗2019-08-28

▶

OSV

CVE-2019-10054: An issue was discovered in Suricata 4↗2019-08-28

▶

📋Vendor Advisories

Debian

CVE-2019-10054: suricata - An issue was discovered in Suricata 4.1.3. The function process_reply_record_v3 ...↗2019

▶

💬Community

Bugzilla

CVE-2019-10054 suricata: invalid memory access in function process_reply_record_v3 leads to denial of service↗2019-09-05

▶