CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32664 – Suricata's base64 contains an out of bounds write
https://notcve.org/view.php?id=CVE-2024-32664
23 Apr 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option with value 1, 2 or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` to false. Suricata es un sistema de detección de intrusiones en la red, un ... • https://github.com/OISF/suricata/commit/311002baf288a225f62cf18a90c5fdd294447379 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-122: Heap-based Buffer Overflow •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 0CVE-2024-32867 – Suricata's defrag contains various issues leading to policy bypass
https://notcve.org/view.php?id=CVE-2024-32867
23 Apr 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. Antes de 7.0.5 y 6.0.19, varios problemas en el manejo de anomalía... • https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9 • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-28870 – Suricata uses excessive resource use in malformed ssh traffic parsing
https://notcve.org/view.php?id=CVE-2024-28870
20 Mar 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.17 and 7.0.4. Suricata es un sistema de detección de intrusiones de red, un sistema de prevención de intrusiones y un motor de monitorización de seguridad de r... • https://github.com/OISF/suricata/security/advisories/GHSA-mhhx-xw7r-r5c8 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28871 – Excessive CPU used on malformed traffic
https://notcve.org/view.php?id=CVE-2024-28871
20 Mar 2024 — LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Version 0.5.46 may parse malformed request traffic, leading to excessive CPU usage. Version 0.5.47 contains a patch for the issue. No known workarounds are available. LibHTP es un analizador consciente de la seguridad para el protocolo HTTP y los bits y piezas relacionados. • https://github.com/OISF/libhtp/commit/79e713f3e527593a45f545e854cd9e6fbb3cd3ed • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23837 – LibHTP unbounded folded header handling leads to denial service
https://notcve.org/view.php?id=CVE-2024-23837
26 Feb 2024 — LibHTP is a security-aware parser for the HTTP protocol. Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service. This issue is addressed in 0.5.46. LibHTP es un analizador consciente de la seguridad para el protocolo HTTP. El tráfico manipulado puede provocar un tiempo de procesamiento excesivo de los encabezados HTTP, lo que lleva a la denegación de servicio. • https://github.com/OISF/libhtp/commit/20ac301d801cdf01b3f021cca08a22a87f477c4a • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24568 – Suricata http2: header handling evasion
https://notcve.org/view.php?id=CVE-2024-24568
26 Feb 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, the rules inspecting HTTP2 headers can get bypassed by crafted traffic. The vulnerability has been patched in 7.0.3. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. Antes de 7.0.3, el tráfico manipulado podía eludir las reglas que inspeccionaban los encabezados HTTP2. • https://github.com/OISF/suricata/commit/478a2a38f54e2ae235f8486bff87d7d66b6307f0 • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23839 – Suricata http: heap use after free with http.request_header and http.response_header keywords
https://notcve.org/view.php?id=CVE-2024-23839
26 Feb 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, specially crafted traffic can cause a heap use after free if the ruleset uses the http.request_header or http.response_header keyword. The vulnerability has been patched in 7.0.3. To work around the vulnerability, avoid the http.request_header and http.response_header keywords. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusion... • https://github.com/OISF/suricata/commit/cd731fcaf42e5f7078c9be643bfa0cee2ad53e8f • CWE-416: Use After Free •
CVSS: 7.8EPSS: 1%CPEs: 2EXPL: 0CVE-2024-23836 – crafted traffic can cause denial of service
https://notcve.org/view.php?id=CVE-2024-23836
26 Feb 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. This vulnerability is patched in 6.0.16 or 7.0.3. Workarounds include disabling the affected protocol app-layer parser in the yaml and reducing the `stream.reassembly.depth` value... • https://github.com/OISF/suricata/commit/18841a58da71e735ddf4e52cbfa6989755ecbeb7 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23835 – Suricata's pgsql: memory exhaustion use on record parsing
https://notcve.org/view.php?id=CVE-2024-23835
26 Feb 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.3, excessive memory use during pgsql parsing could lead to OOM-related crashes. This vulnerability is patched in 7.0.3. As workaround, users can disable the pgsql app layer parser. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. • https://github.com/OISF/suricata/commit/86de7cffa7e8f06fe9d600127e7dabe89c7e81dd • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35852
https://notcve.org/view.php?id=CVE-2023-35852
19 Jun 2023 — In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation. En Suricata antes de la versión 6.0.13 (cuando hay un adversario que control... • https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •