VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 37 of 93
  • CVE-2022-41719HigNov 10, 2022
    risk 0.42cvss 7.5epss 0.01

    Unmarshal can panic on some inputs, possibly allowing for denial of service attacks.

  • CVE-2022-39294HigOct 31, 2022
    risk 0.42cvss 7.5epss 0.01

    conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](https://docs.rs/hyper/latest/hyper/body/fn.to_bytes.html). An attacker could send…

  • CVE-2022-3517HigOct 17, 2022
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

  • CVE-2022-37599HigOct 11, 2022
    risk 0.42cvss 7.5epss 0.02

    A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

  • CVE-2022-39271HigOct 11, 2022
    risk 0.42cvss 7.5epss 0.01

    Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal…

  • CVE-2022-42004HigOct 2, 2022
    risk 0.42cvss 7.5epss 0.03

    In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

  • CVE-2022-42003HigOct 2, 2022
    risk 0.42cvss 7.5epss 0.03

    In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

  • CVE-2022-2529HigSep 30, 2022
    risk 0.42cvss 7.5epss 0.01

    sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service.

  • CVE-2022-34917HigSep 20, 2022
    risk 0.42cvss 7.5epss 0.01

    A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial…

  • CVE-2022-40150MedSep 16, 2022
    risk 0.42cvss 6.5epss 0.01

    Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of…

  • CVE-2022-38013HigSep 13, 2022
    risk 0.42cvss 7.5epss 0.03

    .NET Core and Visual Studio Denial of Service Vulnerability

  • CVE-2022-37734HigSep 12, 2022
    risk 0.42cvss 7.5epss 0.02

    graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9.

  • CVE-2022-31006HigSep 9, 2022
    risk 0.42cvss 7.5epss 0.01

    indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its…

  • CVE-2022-25857HigAug 30, 2022
    risk 0.42cvss 7.5epss 0.02

    The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

  • CVE-2021-3859HigAug 26, 2022
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

  • CVE-2022-24375HigAug 24, 2022
    risk 0.42cvss 7.5epss 0.01

    The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

  • CVE-2021-3690HigAug 23, 2022
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

  • CVE-2022-25304HigAug 23, 2022
    risk 0.42cvss 7.5epss 0.01

    All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by…

  • CVE-2022-21208HigAug 23, 2022
    risk 0.42cvss 7.5epss 0.01

    The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of…

  • CVE-2022-35923HigAug 2, 2022
    risk 0.42cvss 7.5epss 0.01

    v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload…