VYPR

Vendor CVEs

Oisf

All CVEs

86 total · sorted by risk
  • CVE-2024-32664May 7, 2024
    risk 0.00cvss epss 0.01

    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19.…

  • CVE-2024-32663May 7, 2024
    risk 0.00cvss epss 0.01

    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5…

  • CVE-2024-28871Apr 4, 2024
    risk 0.00cvss epss 0.01

    LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Version 0.5.46 may parse malformed request traffic, leading to excessive CPU usage. Version 0.5.47 contains a patch for the issue. No known workarounds are available.

  • CVE-2024-28870Apr 3, 2024
    risk 0.00cvss epss 0.01

    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive…

  • CVE-2024-23837Feb 26, 2024
    risk 0.00cvss epss 0.01

    LibHTP is a security-aware parser for the HTTP protocol. Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service. This issue is addressed in 0.5.46.

  • CVE-2024-24568Feb 26, 2024
    risk 0.00cvss epss 0.01

    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, the rules inspecting HTTP2 headers can get bypassed by crafted traffic. The vulnerability has been patched in 7.0.3.

  • CVE-2024-23839Feb 26, 2024
    risk 0.00cvss epss 0.01

    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, specially crafted traffic can cause a heap use after free if the ruleset uses the http.request_header or http.response_header keyword. The…

  • CVE-2024-23836Feb 26, 2024
    risk 0.00cvss epss 0.01

    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which…

  • CVE-2024-23835Feb 26, 2024
    risk 0.00cvss epss 0.01

    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.3, excessive memory use during pgsql parsing could lead to OOM-related crashes. This vulnerability is patched in 7.0.3. As workaround,…

  • CVE-2023-35853Jun 19, 2023
    risk 0.00cvss epss 0.01

    In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

  • CVE-2023-35852Jun 19, 2023
    risk 0.00cvss epss 0.01

    In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by…

  • CVE-2020-19678Apr 6, 2023
    risk 0.00cvss epss 0.03

    Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.

  • CVE-2021-45098Dec 16, 2021
    risk 0.00cvss epss 0.02

    An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random…

  • CVE-2021-37592Nov 19, 2021
    risk 0.00cvss epss 0.02

    Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.

  • CVE-2021-35063Jul 22, 2021
    risk 0.00cvss epss 0.02

    Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion."

  • CVE-2019-18792Jan 6, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data)…

  • CVE-2019-17420Oct 9, 2019
    risk 0.00cvss epss 0.01

    In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the http_header signature to not alert on a response with a single \r\n ending.

  • CVE-2019-16410Sep 24, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Suricata 4.1.4. By sending multiple fragmented IPv4 packets, the function Defrag4Reassemble in defrag.c tries to access a memory region that is not allocated, because of a lack of header_len checking.

  • CVE-2019-16411Sep 24, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 packets that have invalid IPv4Options, the function IPV4OptValidateTimestamp in decode-ipv4.c tries to access a memory region that is not allocated. There is a check for o->len < 5 (corresponding to 2 bytes of…

  • CVE-2019-15699Sep 24, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon receiving a corrupted SSLv3 (TLS 1.2) packet, the parser function TLSDecodeHSHelloExtensions tries to access a memory region that is not allocated, because the expected length of HSHelloExtensions does not match…

  • CVE-2019-10056Aug 28, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Suricata 4.1.3. The code mishandles the case of sending a network packet with the right type, such that the function DecodeEthernet in decode-ethernet.c is executed a second time. At this point, the algorithm cuts the first part of the packet and…

  • CVE-2019-10055Aug 28, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Suricata 4.1.3. The function ftp_pasv_response lacks a check for the length of part1 and part2, leading to a crash within the ftp/mod.rs file.

  • CVE-2019-10054Aug 28, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Suricata 4.1.3. The function process_reply_record_v3 lacks a check for the length of reply.data. It causes an invalid memory access and the program crashes within the nfs/nfs3.rs file.

  • CVE-2019-10052Aug 28, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Suricata 4.1.3. If the network packet does not have the right length, the parser tries to access a part of a DHCP packet. At this point, the Rust environment runs into a panic in parse_clientid_option in the dhcp/parser.rs file.

  • CVE-2019-10051Aug 28, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Suricata 4.1.3. If the function filetracker_newchunk encounters an unsafe "Some(sfcm) => { ft.new_chunk }" item, then the program enters an smb/files.rs error condition and crashes.

  • CVE-2019-1010279Jul 18, 2019
    risk 0.00cvss epss 0.01

    Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c…

  • CVE-2019-1010251Jul 18, 2019
    risk 0.00cvss epss 0.02

    Open Information Security Foundation Suricata prior to version 4.1.2 is affected by: Denial of Service - DNS detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed network packet. The component is: app-layer-detect-proto.c, decode.c,…

  • CVE-2019-10053May 13, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow.

  • CVE-2019-10050May 13, 2019
    risk 0.00cvss epss 0.01

    A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can…

  • CVE-2018-10243Apr 4, 2019
    risk 0.00cvss epss 0.02

    htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26 allows remote attackers to cause a heap-based buffer over-read via an authorization digest header.

  • CVE-2018-10244Apr 4, 2019
    risk 0.00cvss epss 0.02

    Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/IP PDU. A malformed PDU can cause the parsing code to read beyond the allocated data because DecodeENIPPDU in app-layer-enip-commmon.c has an integer overflow during a length check.

  • CVE-2018-10242Apr 4, 2019
    risk 0.00cvss epss 0.02

    Suricata version 4.0.4 incorrectly handles the parsing of the SSH banner. A malformed SSH banner can cause the parsing code to read beyond the allocated data because SSHParseBanner in app-layer-ssh.c lacks a length check.

  • CVE-2018-18956Nov 5, 2018
    risk 0.00cvss epss 0.03

    The ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x before 4.0.6 allows remote attackers to cause a denial of service (segfault and daemon crash) via crafted input to the SMTP parser, as exploited in the wild in November 2018.

  • CVE-2015-0971May 14, 2015
    risk 0.00cvss epss 0.01

    The DER parser in Suricata before 2.0.8 allows remote attackers to cause a denial of service (crash) via vectors related to SSL/TLS certificates.

  • CVE-2014-6603Oct 7, 2014
    risk 0.00cvss epss 0.03

    The SSHParseBanner function in SSH parser (app-layer-ssh.c) in Suricata before 2.0.4 allows remote attackers to bypass SSH rules, cause a denial of service (crash), or possibly have unspecified other impact via a crafted banner, which triggers a large memory allocation or an…

  • CVE-2013-5919May 30, 2014
    risk 0.00cvss epss 0.02

    Suricata before 1.4.6 allows remote attackers to cause a denial of service (crash) via a malformed SSL record.

Page 2 of 2