CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35853
https://notcve.org/view.php?id=CVE-2023-35853
19 Jun 2023 — In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section. En Suricata antes de la versión 6.0.13, un adversario que controle una fuente externa de reglas Lua puede ser capaz de ejecutar código Lua. Esto se soluciona en la versión 6.0.13 deshabilitando Lua a menos que "allow-rules" sea verdadero en la sección de configuración de segurid... • https://github.com/OISF/suricata/commit/b95bbcc66db526ffcc880eb439dbe8abc87a81da • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2020-19678
https://notcve.org/view.php?id=CVE-2020-19678
06 Apr 2023 — Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php. • http://www.2ngon.com/2015/01/lfi-vulnerability-suricata-146-pkg-v101.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2021-45098
https://notcve.org/view.php?id=CVE-2021-45098
16 Dec 2021 — An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. • https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-37592
https://notcve.org/view.php?id=CVE-2021-37592
19 Nov 2021 — Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments. Suricata versiones anteriores a 5.0.8 y versiones 6.x anteriores a 6.0.4, permite una evasión de TCP por medio de un cliente con una pila TCP/IP diseñada que puede enviar una determinada secuencia de segmentos • https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-35063
https://notcve.org/view.php?id=CVE-2021-35063
22 Jul 2021 — Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion." Suricata versiones anteriores a 5.0.7 y versiones 6.x anteriores a 6.0.3, presenta una "evasión crítica" • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990835 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1010279
https://notcve.org/view.php?id=CVE-2019-1010279
18 Jul 2019 — Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b). The attack vector is: An attacker can trigger the vulnerability by a specifically crafted network TCP session. The fixed version is: 4.1.3. • https://github.com/OISF/suricata/pull/3625 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10728
https://notcve.org/view.php?id=CVE-2016-10728
23 Jul 2018 — An issue was discovered in Suricata before 3.1.2. If an ICMPv4 error packet is received as the first packet on a flow in the to_client direction, it confuses the rule grouping lookup logic. The toclient inspection will then continue with the wrong rule group. This can lead to missed detection. Se ha descubierto un problema en versiones anteriores a la 3.1.2 de Suricata. • https://github.com/kirillwow/ids_bypass • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-14568
https://notcve.org/view.php?id=CVE-2018-14568
23 Jul 2018 — Suricata before 4.0.5 stops TCP stream inspection upon a TCP RST from a server. This allows detection bypass because Windows TCP clients proceed with normal processing of TCP data that arrives shortly after an RST (i.e., they act as if the RST had not yet been received). Suricata en versiones anteriores a la 4.0.5 detiene la inspección de transmisiones TCP al recibir un TCP RST de un servidor. Esto permite la omisión de la detección debido a que los clientes de Windows TCP continuaban el procesamiento habit... • https://github.com/OISF/suricata/pull/3428/commits/843d0b7a10bb45627f94764a6c5d468a24143345 •
CVSS: 5.3EPSS: 40%CPEs: 2EXPL: 2CVE-2018-6794 – Suricata < 4.0.4 - IDS Detection Bypass
https://notcve.org/view.php?id=CVE-2018-6794
07 Feb 2018 — Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as u... • https://packetstorm.news/files/id/146638 • CWE-693: Protection Mechanism Failure •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15377
https://notcve.org/view.php?id=CVE-2017-15377
23 Oct 2017 — In Suricata before 4.x, it was possible to trigger lots of redundant checks on the content of crafted network traffic with a certain signature, because of DetectEngineContentInspection in detect-engine-content-inspection.c. The search engine doesn't stop when it should after no match is found; instead, it stops only upon reaching inspection-recursion-limit (3000 by default). En Suricata en versiones anteriores a las 4.x, era posible desencadenar numerosos chequeos redundantes en el contenido del trafico de ... • https://github.com/OISF/suricata/commit/b9579fbe7dd408200ef03cbe20efddb624b73885 •