VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 35 of 93
  • CVE-2023-43810HigOct 6, 2023
    risk 0.42cvss 7.5epss 0.01

    OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has…

  • CVE-2023-5196MedSep 29, 2023
    risk 0.42cvss 6.5epss 0.01

    Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable…

  • CVE-2023-42457HigSep 21, 2023
    risk 0.42cvss 7.5epss 0.01

    plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the…

  • CVE-2023-43669HigSep 21, 2023
    risk 0.42cvss 7.5epss 0.02

    The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times)…

  • CVE-2023-26141HigSep 14, 2023
    risk 0.42cvss 7.5epss 0.01

    Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.

  • CVE-2023-40591HigSep 6, 2023
    risk 0.42cvss 7.5epss 0.01

    go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version…

  • CVE-2023-40586HigAug 25, 2023
    risk 0.42cvss 7.5epss 0.01

    OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Due to the misuse of `log.Fatalf`, the application using coraza crashed after receiving crafted requests from attackers. The application will immediately crash after receiving a malicious…

  • CVE-2023-40583HigAug 25, 2023
    risk 0.42cvss 7.5epss 0.01

    libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get…

  • CVE-2021-29057MedAug 11, 2023
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3, allows attackers to cause a denial of service.

  • CVE-2023-37788HigJul 18, 2023
    risk 0.42cvss 7.5epss 0.01

    goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors.

  • CVE-2023-37475HigJul 17, 2023
    risk 0.42cvss 7.5epss 0.01

    Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause…

  • CVE-2023-34150MedJul 5, 2023
    risk 0.42cvss 6.5epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** Use of TikaEncodingDetector in Apache Any23 can cause excessive memory usage.

  • CVE-2023-34620HigJun 14, 2023
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

  • CVE-2023-34104HigJun 6, 2023
    risk 0.42cvss 7.5epss 0.01

    fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can…

  • CVE-2023-20883HigMay 26, 2023
    risk 0.42cvss 7.5epss 0.01

    In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

  • CVE-2023-2798HigMay 25, 2023
    risk 0.42cvss 7.5epss 0.01

    Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). If HtmlUnit is running on user supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow. This effect may support a denial of…

  • CVE-2023-30798HigApr 21, 2023
    risk 0.42cvss 7.5epss 0.01

    There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

  • CVE-2023-29013HigApr 14, 2023
    risk 0.42cvss 7.5epss 0.01

    Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the…

  • CVE-2020-19850MedApr 4, 2023
    risk 0.42cvss 6.5epss 0.01

    An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.

  • CVE-2022-4899HigMar 31, 2023
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.