CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47188 – Suricata http/byte-ranges: missing hashtable random seed leads to potential DoS
https://notcve.org/view.php?id=CVE-2024-47188
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to severe performance degradation. This issue has been addressed in 7.0.7. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusi... • https://github.com/OISF/suricata/security/advisories/GHSA-qq5v-qcjx-f872 • CWE-330: Use of Insufficiently Random Values •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47522 – Suricata ja4: invalid alpn leads to panic
https://notcve.org/view.php?id=CVE-2024-47522
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addressed in 7.0.7. One may disable ja4 as a workaround. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de red. • https://github.com/OISF/suricata/security/advisories/GHSA-w5xv-6586-jpm7 • CWE-617: Reachable Assertion •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45795 – Suricata detect/datasets: reachable assertion with unimplemented rule option
https://notcve.org/view.php?id=CVE-2024-45795
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use only trusted and well tested rulesets. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un motor de monitoreo de se... • https://github.com/OISF/suricata/security/advisories/GHSA-6r8w-fpw6-cp9g • CWE-617: Reachable Assertion •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45796 – Suricata defrag: off by one can lead to policy bypass
https://notcve.org/view.php?id=CVE-2024-45796
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de red. Antes de la versión 7.0.7, un error lógico dur... • https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg • CWE-193: Off-by-one Error •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-38536 – Suricata http/range: NULL-ptr deref when http.memcap is reached
https://notcve.org/view.php?id=CVE-2024-38536
11 Jul 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. un fallo en la asignación de memoria debido a que se alcanzó `http.memcap` genera una referencia NULL-ptr que pro... • https://github.com/OISF/suricata/security/advisories/GHSA-j32j-4w6g-94hh • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38535 – Suricata http2: oom from duplicate headers
https://notcve.org/view.php?id=CVE-2024-38535
11 Jul 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. Suricata puede quedarse sin memoria al analizar el tráfico HTTP/2 manipulado. • https://github.com/OISF/suricata/commit/62d5cac1b8483d5f9d2b79833a4e59f5d80129b7 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38534 – Suricata modbus: txs without responses are never freed
https://notcve.org/view.php?id=CVE-2024-38534
11 Jul 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. • https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-28870 – Suricata uses excessive resource use in malformed ssh traffic parsing
https://notcve.org/view.php?id=CVE-2024-28870
20 Mar 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.17 and 7.0.4. Suricata es un sistema de detección de intrusiones de red, un sistema de prevención de intrusiones y un motor de monitorización de seguridad de r... • https://github.com/OISF/suricata/security/advisories/GHSA-mhhx-xw7r-r5c8 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 1%CPEs: 2EXPL: 0CVE-2024-23836 – crafted traffic can cause denial of service
https://notcve.org/view.php?id=CVE-2024-23836
26 Feb 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. This vulnerability is patched in 6.0.16 or 7.0.3. Workarounds include disabling the affected protocol app-layer parser in the yaml and reducing the `stream.reassembly.depth` value... • https://github.com/OISF/suricata/commit/18841a58da71e735ddf4e52cbfa6989755ecbeb7 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35852
https://notcve.org/view.php?id=CVE-2023-35852
19 Jun 2023 — In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation. En Suricata antes de la versión 6.0.13 (cuando hay un adversario que control... • https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •