CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 14 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-5243 | Hig | 0.49 | 7.5 | 0.02 | Aug 20, 2018 | The Symantec Encryption Management Server (SEMS) product, prior to version 3.4.2 MP1, may be susceptible to a denial of service (DoS) exploit. A DoS attack is a type of attack whereby the perpetrator attempts to make a particular machine or network resource unavailable to its… | ||
| CVE-2018-14940 | Hig | 0.49 | 7.5 | 0.01 | Aug 5, 2018 | PHPCMS 9 allows remote attackers to cause a denial of service (resource consumption) via large font_size, height, and width parameters in an api.php?op=checkcode request. | ||
| CVE-2017-5693 | Hig | 0.49 | 7.5 | 0.04 | Jul 31, 2018 | Firmware in the Intel Puma 5, 6, and 7 Series might experience resource depletion or timeout, which allows a network attacker to create a denial of service via crafted network traffic. | ||
| CVE-2018-10607 | Hig | 0.49 | 7.5 | 0.03 | Jul 31, 2018 | Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior allow the creation of new connections to one or more IOAs, without closing them properly, which may cause a denial of service within the industrial process control channel. | ||
| CVE-2018-5541 | Hig | 0.49 | 7.5 | 0.02 | Jul 25, 2018 | When F5 BIG-IP ASM 13.0.0-13.1.0.1, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.5.1-11.5.6 is processing HTTP requests, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. | ||
| CVE-2018-5530 | Hig | 0.49 | 7.5 | 0.02 | Jul 25, 2018 | F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.1 virtual servers with HTTP/2 profiles enabled are vulnerable to "HPACK Bomb". | ||
| CVE-2018-14596 | Hig | 0.49 | 7.5 | 0.01 | Jul 25, 2018 | wancms 1.0 through 5.0 allows remote attackers to cause a denial of service (resource consumption) via a checkcode (aka verification code) URI in which the values of font_size, width, and height are large numbers. | ||
| CVE-2018-10632 | Hig | 0.49 | 7.5 | 0.02 | Jul 24, 2018 | In Moxa NPort 5210, 5230, and 5232 versions 2.9 build 17030709 and prior, the amount of resources requested by a malicious actor are not restricted, allowing for a denial-of-service condition. | ||
| CVE-2018-0372 | Hig | 0.49 | 7.5 | 0.03 | Jul 18, 2018 | A vulnerability in the DHCPv6 feature of the Cisco Nexus 9000 Series Fabric Switches in Application-Centric Infrastructure (ACI) Mode could allow an unauthenticated, remote attacker to cause the device to run low on system memory, which could result in a Denial of Service (DoS)… | ||
| CVE-2018-0030 | Hig | 0.49 | 7.5 | 0.02 | Jul 11, 2018 | Receipt of a specific MPLS packet may cause MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) line cards or PTX1K to crash and restart. By continuously sending specific MPLS packets, an attacker can repeatedly crash the line cards or PTX1K causing a sustained Denial of Service. Affected… | ||
| CVE-2018-7164 | Hig | 0.49 | 7.5 | 0.06 | Jun 13, 2018 | Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial… | ||
| CVE-2017-6779 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | Multiple Cisco products are affected by a vulnerability in local file management for certain system log files of Cisco collaboration products that could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition.… | |
| CVE-2017-16119 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. | |
| CVE-2017-16118 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service… | |
| CVE-2017-16117 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds. | ||
| CVE-2017-16116 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. | ||
| CVE-2017-16115 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds. | |
| CVE-2017-16114 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. | |
| CVE-2017-16113 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed. | ||
| CVE-2017-16111 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header. |
- risk 0.49cvss 7.5epss 0.02
The Symantec Encryption Management Server (SEMS) product, prior to version 3.4.2 MP1, may be susceptible to a denial of service (DoS) exploit. A DoS attack is a type of attack whereby the perpetrator attempts to make a particular machine or network resource unavailable to its…
- risk 0.49cvss 7.5epss 0.01
PHPCMS 9 allows remote attackers to cause a denial of service (resource consumption) via large font_size, height, and width parameters in an api.php?op=checkcode request.
- risk 0.49cvss 7.5epss 0.04
Firmware in the Intel Puma 5, 6, and 7 Series might experience resource depletion or timeout, which allows a network attacker to create a denial of service via crafted network traffic.
- risk 0.49cvss 7.5epss 0.03
Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior allow the creation of new connections to one or more IOAs, without closing them properly, which may cause a denial of service within the industrial process control channel.
- risk 0.49cvss 7.5epss 0.02
When F5 BIG-IP ASM 13.0.0-13.1.0.1, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.5.1-11.5.6 is processing HTTP requests, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process.
- risk 0.49cvss 7.5epss 0.02
F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.1 virtual servers with HTTP/2 profiles enabled are vulnerable to "HPACK Bomb".
- risk 0.49cvss 7.5epss 0.01
wancms 1.0 through 5.0 allows remote attackers to cause a denial of service (resource consumption) via a checkcode (aka verification code) URI in which the values of font_size, width, and height are large numbers.
- risk 0.49cvss 7.5epss 0.02
In Moxa NPort 5210, 5230, and 5232 versions 2.9 build 17030709 and prior, the amount of resources requested by a malicious actor are not restricted, allowing for a denial-of-service condition.
- risk 0.49cvss 7.5epss 0.03
A vulnerability in the DHCPv6 feature of the Cisco Nexus 9000 Series Fabric Switches in Application-Centric Infrastructure (ACI) Mode could allow an unauthenticated, remote attacker to cause the device to run low on system memory, which could result in a Denial of Service (DoS)…
- risk 0.49cvss 7.5epss 0.02
Receipt of a specific MPLS packet may cause MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) line cards or PTX1K to crash and restart. By continuously sending specific MPLS packets, an attacker can repeatedly crash the line cards or PTX1K causing a sustained Denial of Service. Affected…
- risk 0.49cvss 7.5epss 0.06
Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial…
- risk 0.49cvss 7.5epss 0.02
Multiple Cisco products are affected by a vulnerability in local file management for certain system log files of Cisco collaboration products that could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition.…
- risk 0.49cvss 7.5epss 0.02
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
- risk 0.49cvss 7.5epss 0.02
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service…
- risk 0.49cvss 7.5epss 0.02
slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.
- risk 0.49cvss 7.5epss 0.02
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
- risk 0.49cvss 7.5epss 0.01
The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.
- risk 0.49cvss 7.5epss 0.02
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
- risk 0.49cvss 7.5epss 0.02
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
- risk 0.49cvss 7.5epss 0.01
The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.