CVE-2023-35852 (GCVE-0-2023-35852)

Vulnerability from cvelistv5 – Published: 2023-06-19 00:00 – Updated: 2025-11-03 19:28
VLAI?
Summary
In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:28:15.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.stamus-networks.com/stamus-labs"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-35852",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-11T17:05:14.989150Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-11T17:05:39.191Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-19T00:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13"
        },
        {
          "url": "https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335"
        },
        {
          "url": "https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17"
        },
        {
          "url": "https://www.stamus-networks.com/stamus-labs"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-35852",
    "datePublished": "2023-06-19T00:00:00.000Z",
    "dateReserved": "2023-06-19T00:00:00.000Z",
    "dateUpdated": "2025-11-03T19:28:15.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.0.13\", \"matchCriteriaId\": \"1FDDE2F7-D633-4FBC-8EE1-6145A82AC02F\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.\"}, {\"lang\": \"es\", \"value\": \"En Suricata antes de la versi\\u00f3n 6.0.13 (cuando hay un adversario que controla una fuente externa de reglas), un nombre de archivo de conjunto de datos, que proviene de una regla, puede desencadenar el salto de directorios absolutos o relativos, y conducir al acceso de escritura a un sistema de archivos local. Esto se soluciona en 6.0.13 requiriendo \\\"allow-absolute-filenames\\\" y \\\"allow-write\\\" (en la secci\\u00f3n de configuraci\\u00f3n de reglas de conjuntos de datos) si una instalaci\\u00f3n requiere saltar/escribir en esta situaci\\u00f3n. \"}]",
      "id": "CVE-2023-35852",
      "lastModified": "2024-11-21T08:08:49.503",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2023-06-19T04:15:11.217",
      "references": "[{\"url\": \"https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.stamus-networks.com/stamus-labs\", \"source\": \"cve@mitre.org\", \"tags\": [\"Not Applicable\"]}, {\"url\": \"https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.stamus-networks.com/stamus-labs\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Not Applicable\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-35852\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-06-19T04:15:11.217\",\"lastModified\":\"2025-11-03T20:16:01.437\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.\"},{\"lang\":\"es\",\"value\":\"En Suricata antes de la versi\u00f3n 6.0.13 (cuando hay un adversario que controla una fuente externa de reglas), un nombre de archivo de conjunto de datos, que proviene de una regla, puede desencadenar el salto de directorios absolutos o relativos, y conducir al acceso de escritura a un sistema de archivos local. Esto se soluciona en 6.0.13 requiriendo \\\"allow-absolute-filenames\\\" y \\\"allow-write\\\" (en la secci\u00f3n de configuraci\u00f3n de reglas de conjuntos de datos) si una instalaci\u00f3n requiere saltar/escribir en esta situaci\u00f3n. \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.0.13\",\"matchCriteriaId\":\"1FDDE2F7-D633-4FBC-8EE1-6145A82AC02F\"}]}]}],\"references\":[{\"url\":\"https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.stamus-networks.com/stamus-labs\",\"source\":\"cve@mitre.org\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.stamus-networks.com/stamus-labs\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.stamus-networks.com/stamus-labs\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:28:15.621Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-35852\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-11T17:05:14.989150Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-11T17:05:31.897Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13\"}, {\"url\": \"https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335\"}, {\"url\": \"https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17\"}, {\"url\": \"https://www.stamus-networks.com/stamus-labs\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-06-19T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-35852\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T19:28:15.621Z\", \"dateReserved\": \"2023-06-19T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2023-06-19T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.