The list of possible sources for suricata-update is downloaded from "https://www.openinfosecfoundation.org/rules/index.yaml" per default. Suricata-Update uses the insecure yaml.load()-function. Code will be executed if the yaml-file contains lines like:
The vulnerable function can be triggered by "suricata-update list-sources". The locally stored index.yaml will be loaded in this function and the malicious code gets executed.
projects / thirdparty / suricata-update.git / commit
