Oisf
Products by Oisf Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Oisf . Last year Oisf had 3 security vulnerabilities published. Right now, Oisf is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 3 | 8.27 |
2022 | 0 | 0.00 |
2021 | 3 | 8.27 |
2020 | 0 | 0.00 |
2019 | 5 | 7.52 |
2018 | 1 | 7.80 |
It may take a day or so for new Oisf vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Oisf Security Vulnerabilities
In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code
CVE-2023-35853
9.8 - Critical
- June 19, 2023
In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.
In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename
CVE-2023-35852
7.5 - High
- June 19, 2023
In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
Directory traversal
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1
CVE-2020-19678
7.5 - High
- April 06, 2023
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
Directory traversal
An issue was discovered in Suricata before 6.0.4
CVE-2021-45098
7.5 - High
- December 16, 2021
An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack
CVE-2021-37592
9.8 - Critical
- November 19, 2021
Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.
Memory Corruption
Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion
CVE-2021-35063
7.5 - High
- July 22, 2021
Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion."
In OISF LibHTP before 0.5.31
CVE-2019-17420
5.3 - Medium
- October 10, 2019
In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the http_header signature to not alert on a response with a single \r\n ending.
Improper Input Validation
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass
CVE-2019-1010279
7.5 - High
- July 18, 2019
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b). The attack vector is: An attacker can trigger the vulnerability by a specifically crafted network TCP session. The fixed version is: 4.1.3.
Improper Verification of Cryptographic Signature
Open Information Security Foundation Suricata prior to version 4.1.2 is affected by: Denial of Service - DNS detection bypass
CVE-2019-1010251
7.5 - High
- July 18, 2019
Open Information Security Foundation Suricata prior to version 4.1.2 is affected by: Denial of Service - DNS detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed network packet. The component is: app-layer-detect-proto.c, decode.c, decode-teredo.c and decode-ipv6.c (https://github.com/OISF/suricata/pull/3590/commits/11f3659f64a4e42e90cb3c09fcef66894205aefe, https://github.com/OISF/suricata/pull/3590/commits/8357ef3f8ffc7d99ef6571350724160de356158b). The attack vector is: An attacker can trigger the vulnerability by sending a specifically crafted network request. The fixed version is: 4.1.2.
Improper Input Validation
A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4
CVE-2019-10050
7.5 - High
- May 13, 2019
A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash.
Out-of-bounds Read
htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26
CVE-2018-10243
9.8 - Critical
- April 04, 2019
htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26 allows remote attackers to cause a heap-based buffer over-read via an authorization digest header.
Out-of-bounds Read
OISF suricata-update version 1.0.0a1 contains an Insecure Deserialization vulnerability in the insecure yaml.load-Function as used in the following files: config.py:136
CVE-2018-1000167
7.8 - High
- April 18, 2018
OISF suricata-update version 1.0.0a1 contains an Insecure Deserialization vulnerability in the insecure yaml.load-Function as used in the following files: config.py:136, config.py:142, sources.py:99 and sources.py:131. The "list-sources"-command is affected by this bug. that can result in Remote Code Execution(even as root if suricata-update is called by root). This attack appears to be exploitable via a specially crafted yaml-file at https://www.openinfosecfoundation.org/rules/index.yaml. This vulnerability appears to have been fixed in 1.0.0b1.
Marshaling, Unmarshaling