Lua Code Execution Vulnerability in Suricata by Open Information Security Foundation
CVE-2023-35853

9.8CRITICAL

Key Information:

Vendor: Oisf
Status: Suricata
Vendor: CVE Published:; 19 June 2023

What is CVE-2023-35853?

Prior to version 6.0.13, Suricata is susceptible to a vulnerability that allows an attacker with control over Lua rules to execute arbitrary Lua code. This poses significant security risks, as it can enable malicious actions within the system. The issue has been mitigated in version 6.0.13 by altering the default Lua configuration to disable code execution unless explicitly permitted via the allow-rules setting.

References

https://github.com/OISF/suricata/compare/suricata-6.0.12....

https://www.stamus-networks.com/stamus-labs

https://github.com/OISF/suricata/commit/b95bbcc66db526ffc...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2023
Vulnerability Reserved
Jun 19, 2023

Oisf

What is CVE-2023-35853?

References

CVSS V3.1

Timeline