VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 15 of 93
  • CVE-2017-16099HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.

  • CVE-2017-16030HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier.

  • CVE-2017-16023HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.

  • CVE-2017-16013HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.02

    hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.

  • CVE-2016-10540HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.02

    Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.

  • CVE-2016-10539HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted…

  • CVE-2016-10527HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.02

    The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.

  • CVE-2016-10521HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.

  • CVE-2016-10520HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

  • CVE-2015-9239HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

  • CVE-2014-10064HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service…

  • CVE-2018-6237HigMay 25, 2018
    risk 0.49cvss 7.5epss 0.06

    A vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow an unauthenticated remote attacker to manipulate the product to send a large number of specially crafted HTTP requests to potentially cause the file system to fill up, eventually causing a denial…

  • CVE-2018-10827HigMay 9, 2018
    risk 0.49cvss 7.5epss 0.02

    LiteCart before 2.1.2 allows remote attackers to cause a denial of service (memory consumption) via URIs that do not exist, because public_html/logs/not_found.log grows without bound, and is loaded into memory for each request.

  • CVE-2017-7651HigApr 24, 2018
    risk 0.49cvss 7.5epss 0.05

    In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

  • CVE-2018-7920HigApr 19, 2018
    risk 0.49cvss 7.5epss 0.01

    Huawei AR1200 V200R006C10SPC300, AR160 V200R006C10SPC300, AR200 V200R006C10SPC300, AR2200 V200R006C10SPC300, AR3200 V200R006C10SPC300 devices have an improper resource management vulnerability. Due to the improper implementation of ACL mechanism, a remote attacker may send TCP…

  • CVE-2018-10193HigApr 18, 2018
    risk 0.49cvss 7.5epss 0.05

    LogMeIn LastPass through 4.15.0 allows remote attackers to cause a denial of service (browser hang) via an HTML document because the resource consumption of onloadwff.js grows with the number of INPUT elements.

  • CVE-2018-0022HigApr 11, 2018
    risk 0.49cvss 7.5epss 0.02

    A Junos device with VPLS routing-instances configured on one or more interfaces may be susceptible to an mbuf leak when processing a specific MPLS packet. Approximately 1 mbuf is leaked per each packet processed. The number of mbufs is platform dependent. The following command…

  • CVE-2018-8777HigApr 3, 2018
    risk 0.49cvss 7.5epss 0.05

    In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).

  • CVE-2018-4100HigApr 3, 2018
    risk 0.49cvss 7.5epss 0.03

    An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. watchOS before 4.2.2 is affected. The issue involves the "LinkPresentation" component. It allows remote attackers to cause a denial of service (resource…

  • CVE-2018-1064HigMar 28, 2018
    risk 0.49cvss 7.5epss 0.03

    libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent.