CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 37 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-41719 | — | Hig | 0.42 | 7.5 | 0.01 | Nov 10, 2022 | Unmarshal can panic on some inputs, possibly allowing for denial of service attacks. | |
| CVE-2022-39294 | — | Hig | 0.42 | 7.5 | 0.01 | Oct 31, 2022 | conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](https://docs.rs/hyper/latest/hyper/body/fn.to_bytes.html). An attacker could send… | |
| CVE-2022-3517 | Hig | 0.42 | 7.5 | 0.02 | Oct 17, 2022 | A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. | ||
| CVE-2022-37599 | — | Hig | 0.42 | 7.5 | 0.02 | Oct 11, 2022 | A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. | |
| CVE-2022-39271 | Hig | 0.42 | 7.5 | 0.01 | Oct 11, 2022 | Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal… | ||
| CVE-2022-42004 | Hig | 0.42 | 7.5 | 0.03 | Oct 2, 2022 | In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | ||
| CVE-2022-42003 | Hig | 0.42 | 7.5 | 0.03 | Oct 2, 2022 | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||
| CVE-2022-2529 | Hig | 0.42 | 7.5 | 0.01 | Sep 30, 2022 | sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service. | ||
| CVE-2022-34917 | — | Hig | 0.42 | 7.5 | 0.01 | Sep 20, 2022 | A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial… | |
| CVE-2022-40150 | — | Med | 0.42 | 6.5 | 0.01 | Sep 16, 2022 | Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of… | |
| CVE-2022-38013 | Hig | 0.42 | 7.5 | 0.03 | Sep 13, 2022 | .NET Core and Visual Studio Denial of Service Vulnerability | ||
| CVE-2022-37734 | Hig | 0.42 | 7.5 | 0.02 | Sep 12, 2022 | graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9. | ||
| CVE-2022-31006 | Hig | 0.42 | 7.5 | 0.01 | Sep 9, 2022 | indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its… | ||
| CVE-2022-25857 | — | Hig | 0.42 | 7.5 | 0.02 | Aug 30, 2022 | The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | |
| CVE-2021-3859 | — | Hig | 0.42 | 7.5 | 0.01 | Aug 26, 2022 | A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks. | |
| CVE-2022-24375 | Hig | 0.42 | 7.5 | 0.01 | Aug 24, 2022 | The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False. | ||
| CVE-2021-3690 | — | Hig | 0.42 | 7.5 | 0.01 | Aug 23, 2022 | A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability. | |
| CVE-2022-25304 | — | Hig | 0.42 | 7.5 | 0.01 | Aug 23, 2022 | All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by… | |
| CVE-2022-21208 | Hig | 0.42 | 7.5 | 0.01 | Aug 23, 2022 | The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of… | ||
| CVE-2022-35923 | Hig | 0.42 | 7.5 | 0.01 | Aug 2, 2022 | v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload… |
- risk 0.42cvss 7.5epss 0.01
Unmarshal can panic on some inputs, possibly allowing for denial of service attacks.
- risk 0.42cvss 7.5epss 0.01
conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](https://docs.rs/hyper/latest/hyper/body/fn.to_bytes.html). An attacker could send…
- risk 0.42cvss 7.5epss 0.02
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
- risk 0.42cvss 7.5epss 0.02
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
- risk 0.42cvss 7.5epss 0.01
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal…
- risk 0.42cvss 7.5epss 0.03
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
- risk 0.42cvss 7.5epss 0.03
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- risk 0.42cvss 7.5epss 0.01
sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service.
- risk 0.42cvss 7.5epss 0.01
A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial…
- risk 0.42cvss 6.5epss 0.01
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of…
- risk 0.42cvss 7.5epss 0.03
.NET Core and Visual Studio Denial of Service Vulnerability
- risk 0.42cvss 7.5epss 0.02
graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9.
- risk 0.42cvss 7.5epss 0.01
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its…
- risk 0.42cvss 7.5epss 0.02
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
- risk 0.42cvss 7.5epss 0.01
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
- risk 0.42cvss 7.5epss 0.01
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.
- risk 0.42cvss 7.5epss 0.01
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
- risk 0.42cvss 7.5epss 0.01
All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by…
- risk 0.42cvss 7.5epss 0.01
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of…
- risk 0.42cvss 7.5epss 0.01
v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload…