CVE-2024-32663

May 7, 2024, 8:07 p.m.

7.5
High

Description

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536).

Product(s) Impacted

Product Versions
Suricata
  • before 7.0.5 - 6.0.19
Suricata
  • before 7.0.5
  • before 6.0.19

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64
https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd
https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019
https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5
https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r
https://redmine.openinfosecfoundation.org/issues/6892
https://redmine.openinfosecfoundation.org/issues/6900

Tags

security-advisories@github.com
CWE-400
2024-05-07
CVE-2024-32663

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: May 7, 2024, 3:15 p.m.
Last Modified: May 7, 2024, 8:07 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.