CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 36 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-45003 | Hig | 0.42 | 7.5 | 0.01 | Mar 22, 2023 | Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus. | ||
| CVE-2023-0821 | Med | 0.42 | 6.5 | 0.01 | Feb 16, 2023 | HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4. | ||
| CVE-2023-25578 | Hig | 0.42 | 7.5 | 0.01 | Feb 15, 2023 | Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited… | ||
| CVE-2023-25577 | Hig | 0.42 | 7.5 | 0.01 | Feb 14, 2023 | Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more… | ||
| CVE-2023-25576 | Hig | 0.42 | 7.5 | 0.01 | Feb 14, 2023 | @fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body… | ||
| CVE-2023-22792 | — | Hig | 0.42 | 7.5 | 0.02 | Feb 9, 2023 | A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking.… | |
| CVE-2022-44572 | Hig | 0.42 | 7.5 | 0.02 | Feb 9, 2023 | A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in… | ||
| CVE-2022-44571 | Hig | 0.42 | 7.5 | 0.01 | Feb 9, 2023 | There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of… | ||
| CVE-2022-44570 | Hig | 0.42 | 7.5 | 0.02 | Feb 9, 2023 | A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any… | ||
| CVE-2022-44566 | — | Hig | 0.42 | 7.5 | 0.01 | Feb 9, 2023 | A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer… | |
| CVE-2022-3064 | Hig | 0.42 | 7.5 | 0.02 | Dec 27, 2022 | Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. | ||
| CVE-2020-36568 | Hig | 0.42 | 7.5 | 0.01 | Dec 27, 2022 | Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation. | ||
| CVE-2019-25072 | — | Hig | 0.42 | 7.5 | 0.01 | Dec 27, 2022 | Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector. | |
| CVE-2022-4767 | — | Hig | 0.42 | 7.5 | 0.01 | Dec 27, 2022 | Denial of Service in GitHub repository usememos/memos prior to 0.9.1. | |
| CVE-2021-35065 | — | Hig | 0.42 | 7.5 | 0.02 | Dec 26, 2022 | The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression. | |
| CVE-2022-40899 | — | Hig | 0.42 | 7.5 | 0.02 | Dec 23, 2022 | An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. | |
| CVE-2022-3510 | — | Hig | 0.42 | 7.5 | 0.00 | Dec 12, 2022 | A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with… | |
| CVE-2022-3509 | — | Hig | 0.42 | 7.5 | 0.01 | Dec 12, 2022 | A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or… | |
| CVE-2022-23492 | Hig | 0.42 | 7.5 | 0.01 | Dec 8, 2022 | go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause… | ||
| CVE-2022-45199 | — | Hig | 0.42 | 7.5 | 0.01 | Nov 14, 2022 | Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. |
- risk 0.42cvss 7.5epss 0.01
Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.
- risk 0.42cvss 6.5epss 0.01
HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.
- risk 0.42cvss 7.5epss 0.01
Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited…
- risk 0.42cvss 7.5epss 0.01
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more…
- risk 0.42cvss 7.5epss 0.01
@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body…
- risk 0.42cvss 7.5epss 0.02
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking.…
- risk 0.42cvss 7.5epss 0.02
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in…
- risk 0.42cvss 7.5epss 0.01
There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of…
- risk 0.42cvss 7.5epss 0.02
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any…
- risk 0.42cvss 7.5epss 0.01
A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer…
- risk 0.42cvss 7.5epss 0.02
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
- risk 0.42cvss 7.5epss 0.01
Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation.
- risk 0.42cvss 7.5epss 0.01
Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.
- risk 0.42cvss 7.5epss 0.01
Denial of Service in GitHub repository usememos/memos prior to 0.9.1.
- risk 0.42cvss 7.5epss 0.02
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
- risk 0.42cvss 7.5epss 0.02
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
- risk 0.42cvss 7.5epss 0.00
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with…
- risk 0.42cvss 7.5epss 0.01
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or…
- risk 0.42cvss 7.5epss 0.01
go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause…
- risk 0.42cvss 7.5epss 0.01
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.