ALT-PU-2025-4592-2

BDU:2025-03509

CRITICAL9.8

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с выходом операции за границы буфера в памяти в результате некорректной обработки ключевых слов преобразования, позволяющая нарушителю выполнить произвольный код

Published: 2025-03-28Modified: 2025-03-31

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2025-29915

BDU:2025-03841

HIGH7.3

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с недостаточной проверкой входных данных, позволяющая нарушителю обойти ограничения безопасности и выполнить произвольный код

Published: 2025-04-07

CVSS 3.xHIGH 7.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2025-29918

BDU:2025-03842

HIGH7.3

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с недостаточной проверкой входных данных, позволяющая нарушителю обойти ограничения безопасности и выполнить произвольный код

Published: 2025-04-07

CVSS 3.xHIGH 7.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2025-29917

BDU:2025-03843

HIGH7.3

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с недостаточной проверкой входных данных, позволяющая нарушителю обойти ограничения безопасности и выполнить произвольный код

Published: 2025-04-07

CVSS 3.xHIGH 7.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2025-29916

CVE-2025-29915

HIGH7.5

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets. Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues.

Published: 2025-04-10Modified: 2025-05-29

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

CVE-2025-29916

MEDIUM5.5

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9.

Published: 2025-04-10Modified: 2025-05-29

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-29917

MEDIUM5.5

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The bytes setting in the decode_base64 keyword is not properly limited. Due to this, signatures using the keyword and setting can cause large memory allocations of up to 4 GiB per thread. This vulnerability is fixed in 7.0.9.

Published: 2025-04-10Modified: 2025-05-29

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-29918

MEDIUM5.5

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9.

Published: 2025-04-10Modified: 2025-11-03

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Package update suricata in branch sisyphus

Closed issues (8)