CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 15 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16099 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition. | |
| CVE-2017-16030 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier. | |
| CVE-2017-16023 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack. | |
| CVE-2017-16013 | Hig | 0.49 | 7.5 | 0.02 | Jun 4, 2018 | hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached. | ||
| CVE-2016-10540 | — | Hig | 0.49 | 7.5 | 0.02 | May 31, 2018 | Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter. | |
| CVE-2016-10539 | — | Hig | 0.49 | 7.5 | 0.01 | May 31, 2018 | negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted… | |
| CVE-2016-10527 | Hig | 0.49 | 7.5 | 0.02 | May 31, 2018 | The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions. | ||
| CVE-2016-10521 | Hig | 0.49 | 7.5 | 0.01 | May 31, 2018 | jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator. | ||
| CVE-2016-10520 | — | Hig | 0.49 | 7.5 | 0.01 | May 31, 2018 | jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in. | |
| CVE-2015-9239 | — | Hig | 0.49 | 7.5 | 0.01 | May 31, 2018 | ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in. | |
| CVE-2014-10064 | Hig | 0.49 | 7.5 | 0.01 | May 31, 2018 | The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service… | ||
| CVE-2018-6237 | Hig | 0.49 | 7.5 | 0.06 | May 25, 2018 | A vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow an unauthenticated remote attacker to manipulate the product to send a large number of specially crafted HTTP requests to potentially cause the file system to fill up, eventually causing a denial… | ||
| CVE-2018-10827 | Hig | 0.49 | 7.5 | 0.02 | May 9, 2018 | LiteCart before 2.1.2 allows remote attackers to cause a denial of service (memory consumption) via URIs that do not exist, because public_html/logs/not_found.log grows without bound, and is loaded into memory for each request. | ||
| CVE-2017-7651 | Hig | 0.49 | 7.5 | 0.05 | Apr 24, 2018 | In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol. | ||
| CVE-2018-7920 | Hig | 0.49 | 7.5 | 0.01 | Apr 19, 2018 | Huawei AR1200 V200R006C10SPC300, AR160 V200R006C10SPC300, AR200 V200R006C10SPC300, AR2200 V200R006C10SPC300, AR3200 V200R006C10SPC300 devices have an improper resource management vulnerability. Due to the improper implementation of ACL mechanism, a remote attacker may send TCP… | ||
| CVE-2018-10193 | Hig | 0.49 | 7.5 | 0.05 | Apr 18, 2018 | LogMeIn LastPass through 4.15.0 allows remote attackers to cause a denial of service (browser hang) via an HTML document because the resource consumption of onloadwff.js grows with the number of INPUT elements. | ||
| CVE-2018-0022 | Hig | 0.49 | 7.5 | 0.02 | Apr 11, 2018 | A Junos device with VPLS routing-instances configured on one or more interfaces may be susceptible to an mbuf leak when processing a specific MPLS packet. Approximately 1 mbuf is leaked per each packet processed. The number of mbufs is platform dependent. The following command… | ||
| CVE-2018-8777 | Hig | 0.49 | 7.5 | 0.05 | Apr 3, 2018 | In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption). | ||
| CVE-2018-4100 | Hig | 0.49 | 7.5 | 0.03 | Apr 3, 2018 | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. watchOS before 4.2.2 is affected. The issue involves the "LinkPresentation" component. It allows remote attackers to cause a denial of service (resource… | ||
| CVE-2018-1064 | Hig | 0.49 | 7.5 | 0.03 | Mar 28, 2018 | libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent. |
- risk 0.49cvss 7.5epss 0.02
The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.
- risk 0.49cvss 7.5epss 0.01
Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier.
- risk 0.49cvss 7.5epss 0.01
Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.
- risk 0.49cvss 7.5epss 0.02
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.
- risk 0.49cvss 7.5epss 0.02
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.
- risk 0.49cvss 7.5epss 0.01
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted…
- risk 0.49cvss 7.5epss 0.02
The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.
- risk 0.49cvss 7.5epss 0.01
jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.
- risk 0.49cvss 7.5epss 0.01
jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.
- risk 0.49cvss 7.5epss 0.01
ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.
- risk 0.49cvss 7.5epss 0.01
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service…
- risk 0.49cvss 7.5epss 0.06
A vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow an unauthenticated remote attacker to manipulate the product to send a large number of specially crafted HTTP requests to potentially cause the file system to fill up, eventually causing a denial…
- risk 0.49cvss 7.5epss 0.02
LiteCart before 2.1.2 allows remote attackers to cause a denial of service (memory consumption) via URIs that do not exist, because public_html/logs/not_found.log grows without bound, and is loaded into memory for each request.
- risk 0.49cvss 7.5epss 0.05
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.
- risk 0.49cvss 7.5epss 0.01
Huawei AR1200 V200R006C10SPC300, AR160 V200R006C10SPC300, AR200 V200R006C10SPC300, AR2200 V200R006C10SPC300, AR3200 V200R006C10SPC300 devices have an improper resource management vulnerability. Due to the improper implementation of ACL mechanism, a remote attacker may send TCP…
- risk 0.49cvss 7.5epss 0.05
LogMeIn LastPass through 4.15.0 allows remote attackers to cause a denial of service (browser hang) via an HTML document because the resource consumption of onloadwff.js grows with the number of INPUT elements.
- risk 0.49cvss 7.5epss 0.02
A Junos device with VPLS routing-instances configured on one or more interfaces may be susceptible to an mbuf leak when processing a specific MPLS packet. Approximately 1 mbuf is leaked per each packet processed. The number of mbufs is platform dependent. The following command…
- risk 0.49cvss 7.5epss 0.05
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
- risk 0.49cvss 7.5epss 0.03
An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. watchOS before 4.2.2 is affected. The issue involves the "LinkPresentation" component. It allows remote attackers to cause a denial of service (resource…
- risk 0.49cvss 7.5epss 0.03
libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent.