CVE-2021-45098
https://notcve.org/view.php?id=CVE-2021-45098
An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. • https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df https://github.com/OISF/suricata/releases https://redmine.openinfosecfoundation.org/issues/4710 •
CVE-2021-37592
https://notcve.org/view.php?id=CVE-2021-37592
Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments. Suricata versiones anteriores a 5.0.8 y versiones 6.x anteriores a 6.0.4, permite una evasión de TCP por medio de un cliente con una pila TCP/IP diseñada que puede enviar una determinada secuencia de segmentos • https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 https://github.com/OISF/suricata/releases https://redmine.openinfosecfoundation.org/issues/4569 • CWE-787: Out-of-bounds Write •
CVE-2021-35063
https://notcve.org/view.php?id=CVE-2021-35063
Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion." Suricata versiones anteriores a 5.0.7 y versiones 6.x anteriores a 6.0.3, presenta una "evasión crítica" • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990835 https://bugzilla.redhat.com/show_bug.cgi?id=1980453 https://forum.suricata.io/t/suricata-6-0-3-and-5-0-7-released/1489 https://github.com/OISF/suricata/releases https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JU27J2ZYG6FBDL5CERE6FBB4ZFGHOROE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEP7PWY4LRT2R4MFLV7JIJRYZEZ7RQFL https://security-tracker.debian.org/tracker/ •
CVE-2019-17420
https://notcve.org/view.php?id=CVE-2019-17420
In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the http_header signature to not alert on a response with a single \r\n ending. En OISF LibHTP versiones anteriores a 0.5.31, como es usado en Suricata versión 4.1.4 y otros productos, un error de análisis del protocolo HTTP hace que la firma http_header no avise en una respuesta con un solo \r\n al final. • https://github.com/OISF/libhtp/compare/0.5.30...0.5.31 https://github.com/OISF/libhtp/pull/213 https://redmine.openinfosecfoundation.org/issues/2969 • CWE-459: Incomplete Cleanup •
CVE-2019-1010279
https://notcve.org/view.php?id=CVE-2019-1010279
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b). The attack vector is: An attacker can trigger the vulnerability by a specifically crafted network TCP session. The fixed version is: 4.1.3. • https://github.com/OISF/suricata/pull/3625 https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b https://redmine.openinfosecfoundation.org/issues/2770 • CWE-347: Improper Verification of Cryptographic Signature •