Oisf Suricata vulnerabilities

CVE-2024-38535 [HIGH] CWE-770 CVE-2024-38535: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6.

CVE-2024-38536 [HIGH] CWE-476 CVE-2024-38536: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.

CVE-2024-37151 [HIGH] CWE-754 CVE-2024-37151: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the

CVE-2024-32663 [HIGH] CWE-400 CVE-2024-32663: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `a

CVE-2024-32664 [HIGH] CWE-120 CVE-2024-32664: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option w

CVE-2024-32867 [MEDIUM] CWE-754 CVE-2024-32867: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19.

CVE-2024-28870 [HIGH] CWE-770 CVE-2024-28870: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.

CVE-2024-23839 [HIGH] CWE-416 CVE-2024-23839: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, specially crafted traffic can cause a heap use after free if the ruleset uses the http.request_header or http.response_header keyword. The vulnerability has been patched in 7.0.3. To work around the vulnerability, avoid

CVE-2024-23835 [HIGH] CWE-400 CVE-2024-23835: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.3, excessive memory use during pgsql parsing could lead to OOM-related crashes. This vulnerability is patched in 7.0.3. As workaround, users can disable the pgsql app layer parser.

CVE-2024-23836 [HIGH] CWE-770 CVE-2024-23836: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. This vulnerability i

CVE-2024-24568 [MEDIUM] CWE-284 CVE-2024-24568: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, the rules inspecting HTTP2 headers can get bypassed by crafted traffic. The vulnerability has been patched in 7.0.3.

CVE-2023-35853 [CRITICAL] CWE-94 CVE-2023-35853: In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

CVE-2023-35852 [HIGH] CWE-22 CVE-2023-35852: In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a d In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules config

CVE-2020-19678 [HIGH] CWE-22 CVE-2020-19678: Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.

CVE-2021-45098 [HIGH] CVE-2021-45098: An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based sign An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden

CVE-2021-37592 [CRITICAL] CWE-787 CVE-2021-37592: Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP sta Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.

CVE-2021-35063 [HIGH] CVE-2021-35063: Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion." Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion."

CVE-2019-18792 [CRITICAL] CWE-436 CVE-2019-18792: An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the seque

CVE-2019-18625 [HIGH] CVE-2019-18625: An issue was discovered in Suricata 5.0.0. It was possible to bypass/evade any tcp based signature b An issue was discovered in Suricata 5.0.0. It was possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server. After the TCP SYN packet, it is possible to inject a RST ACK and a FIN ACK packet with a bad TCP Timestamp option. The client will ignore the RST ACK and the FIN ACK packets because of the bad TCP Timestamp op

CVE-2019-16410 [CRITICAL] CVE-2019-16410: An issue was discovered in Suricata 4 An issue was discovered in Suricata 4.1.4. By sending multiple fragmented IPv4 packets, the function Defrag4Reassemble in defrag.c tries to access a memory region that is not allocated, because of a lack of header_len checking.