The OISF (Open Information Security Foundation) has published corrective releases of the network intrusion detection and prevention system Suricata 7.0.3 and 6.0.16, which eliminate five vulnerabilities, three of which (CVE-2024-23839, CVE-2024-23836, CVE- 2024-23837) has been assigned a critical danger level. The description of the vulnerabilities has not yet been disclosed, however, the critical level is usually assigned when it is possible to remotely execute the attackerβs code. All Suricata users are advised to update their systems immediately.
The Suricata changelog does not explicitly highlight the vulnerabilities, but one of the fixes notes memory access after freeing when processing incorrect HTTP headers. One of the critical vulnerabilities (CVE-2024-23837) is present in the LibHTP HTTP traffic parsing library.
Source: opennet.ru