Suricata
Source repositories
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-8954 | Cri | 0.64 | 9.8 | 0.03 | Mar 20, 2017 | The MemcmpLowercase function in Suricata before 2.0.6 improperly excludes the first byte from comparisons, which might allow remote attackers to bypass intrusion-prevention functionality via a crafted HTTP request. | ||
| CVE-2017-15377 | Hig | 0.49 | 7.5 | 0.02 | Oct 23, 2017 | In Suricata before 4.x, it was possible to trigger lots of redundant checks on the content of crafted network traffic with a certain signature, because of DetectEngineContentInspection in detect-engine-content-inspection.c. The search engine doesn't stop when it should after no… | ||
| CVE-2017-7177 | Hig | 0.49 | 7.5 | 0.01 | Mar 18, 2017 | Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused by lack of a check for the IP protocol during fragment matching. | ||
| CVE-2024-47522 | 0.00 | — | 0.01 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been… | |||
| CVE-2024-47188 | 0.00 | — | 0.00 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead… | |||
| CVE-2024-47187 | 0.00 | — | 0.00 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset… | |||
| CVE-2024-45796 | 0.00 | — | 0.00 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this… | |||
| CVE-2024-45795 | 0.00 | — | 0.01 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to… | |||
| CVE-2024-38536 | 0.00 | — | 0.01 | Jul 11, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6. | |||
| CVE-2024-38534 | 0.00 | — | 0.01 | Jul 11, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue. | |||
| CVE-2024-37151 | 0.00 | — | 0.01 | Jul 11, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6… | |||
| CVE-2024-32867 | 0.00 | — | 0.01 | May 7, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in… | |||
| CVE-2024-32664 | 0.00 | — | 0.01 | May 7, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19.… | |||
| CVE-2024-32663 | 0.00 | — | 0.01 | May 7, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5… | |||
| CVE-2015-0971 | 0.00 | — | 0.01 | May 14, 2015 | The DER parser in Suricata before 2.0.8 allows remote attackers to cause a denial of service (crash) via vectors related to SSL/TLS certificates. | |||
| CVE-2014-6603 | 0.00 | — | 0.03 | Oct 7, 2014 | The SSHParseBanner function in SSH parser (app-layer-ssh.c) in Suricata before 2.0.4 allows remote attackers to bypass SSH rules, cause a denial of service (crash), or possibly have unspecified other impact via a crafted banner, which triggers a large memory allocation or an… | |||
| CVE-2013-5919 | 0.00 | — | 0.02 | May 30, 2014 | Suricata before 1.4.6 allows remote attackers to cause a denial of service (crash) via a malformed SSL record. |
- risk 0.64cvss 9.8epss 0.03
The MemcmpLowercase function in Suricata before 2.0.6 improperly excludes the first byte from comparisons, which might allow remote attackers to bypass intrusion-prevention functionality via a crafted HTTP request.
- risk 0.49cvss 7.5epss 0.02
In Suricata before 4.x, it was possible to trigger lots of redundant checks on the content of crafted network traffic with a certain signature, because of DetectEngineContentInspection in detect-engine-content-inspection.c. The search engine doesn't stop when it should after no…
- risk 0.49cvss 7.5epss 0.01
Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused by lack of a check for the IP protocol during fragment matching.
- CVE-2024-47522Oct 16, 2024risk 0.00cvss —epss 0.01
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been…
- CVE-2024-47188Oct 16, 2024risk 0.00cvss —epss 0.00
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead…
- CVE-2024-47187Oct 16, 2024risk 0.00cvss —epss 0.00
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset…
- CVE-2024-45796Oct 16, 2024risk 0.00cvss —epss 0.00
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this…
- CVE-2024-45795Oct 16, 2024risk 0.00cvss —epss 0.01
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to…
- CVE-2024-38536Jul 11, 2024risk 0.00cvss —epss 0.01
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.
- CVE-2024-38534Jul 11, 2024risk 0.00cvss —epss 0.01
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue.
- CVE-2024-37151Jul 11, 2024risk 0.00cvss —epss 0.01
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6…
- CVE-2024-32867May 7, 2024risk 0.00cvss —epss 0.01
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in…
- CVE-2024-32664May 7, 2024risk 0.00cvss —epss 0.01
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19.…
- CVE-2024-32663May 7, 2024risk 0.00cvss —epss 0.01
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5…
- CVE-2015-0971May 14, 2015risk 0.00cvss —epss 0.01
The DER parser in Suricata before 2.0.8 allows remote attackers to cause a denial of service (crash) via vectors related to SSL/TLS certificates.
- CVE-2014-6603Oct 7, 2014risk 0.00cvss —epss 0.03
The SSHParseBanner function in SSH parser (app-layer-ssh.c) in Suricata before 2.0.4 allows remote attackers to bypass SSH rules, cause a denial of service (crash), or possibly have unspecified other impact via a crafted banner, which triggers a large memory allocation or an…
- CVE-2013-5919May 30, 2014risk 0.00cvss —epss 0.02
Suricata before 1.4.6 allows remote attackers to cause a denial of service (crash) via a malformed SSL record.