VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 38 of 93
  • CVE-2022-35922HigAug 1, 2022
    risk 0.42cvss 7.5epss 0.01

    Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would…

  • CVE-2022-31173HigAug 1, 2022
    risk 0.42cvss 7.5epss 0.01

    Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion…

  • CVE-2022-25891HigJul 15, 2022
    risk 0.42cvss 7.5epss 0.01

    The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service (DoS) via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages.

  • CVE-2022-31781HigJul 13, 2022
    risk 0.42cvss 7.5epss 0.02

    Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the…

  • CVE-2022-31129HigJul 6, 2022
    risk 0.42cvss 7.5epss 0.04

    moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried…

  • CVE-2022-31016MedJun 25, 2022
    risk 0.42cvss 6.5epss 0.01

    Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must…

  • CVE-2022-31054HigJun 13, 2022
    risk 0.42cvss 7.5epss 0.01

    Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several `HandleRoute` endpoints make use of the deprecated `ioutil.ReadAll()`. `ioutil.ReadAll()` reads all the data into memory. As such, an attacker who sends a large request…

  • CVE-2022-1708HigJun 7, 2022
    risk 0.42cvss 7.5epss 0.03

    A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and…

  • CVE-2022-31018HigJun 2, 2022
    risk 0.42cvss 7.5epss 0.02

    Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON…

  • CVE-2022-27781HigJun 2, 2022
    risk 0.42cvss 7.5epss 0.02

    libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to…

  • CVE-2022-23267HigMay 10, 2022
    risk 0.42cvss 7.5epss 0.05

    .NET and Visual Studio Denial of Service Vulnerability

  • CVE-2022-29546HigApr 25, 2022
    risk 0.42cvss 7.5epss 0.01

    HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the…

  • CVE-2022-22969MedApr 21, 2022
    risk 0.42cvss 6.5epss 0.01

    Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send…

  • CVE-2022-24863HigApr 18, 2022
    risk 0.42cvss 7.5epss 0.02

    http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory…

  • CVE-2022-24839HigApr 11, 2022
    risk 0.42cvss 7.5epss 0.02

    org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library…

  • CVE-2022-24836HigApr 11, 2022
    risk 0.42cvss 7.5epss 0.04

    Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`.…

  • CVE-2022-24687MedFeb 24, 2022
    risk 0.42cvss 6.5epss 0.01

    HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3.

  • CVE-2022-24684MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.01

    HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.

  • CVE-2021-23597HigFeb 11, 2022
    risk 0.42cvss 7.5epss 0.02

    This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).

  • CVE-2022-23591HigFeb 4, 2022
    risk 0.42cvss 7.5epss 0.01

    Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when…