CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 39 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-23596 | — | Hig | 0.42 | 7.5 | 0.02 | Feb 1, 2022 | Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant… | |
| CVE-2021-43859 | Hig | 0.42 | 7.5 | 0.08 | Feb 1, 2022 | XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service… | ||
| CVE-2022-23837 | Hig | 0.42 | 7.5 | 0.05 | Jan 21, 2022 | In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users. | ||
| CVE-2022-21680 | Hig | 0.42 | 7.5 | 0.03 | Jan 14, 2022 | Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable… | ||
| CVE-2021-45115 | — | Hig | 0.42 | 7.5 | 0.02 | Jan 5, 2022 | An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where… | |
| CVE-2021-44716 | — | Hig | 0.42 | 7.5 | 0.04 | Jan 1, 2022 | net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. | |
| CVE-2021-45711 | — | Hig | 0.42 | 7.5 | 0.01 | Dec 27, 2021 | An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 for Rust. There is a panic if UTCTime data, supplied by a remote attacker, has a second character greater than 0x7f. | |
| CVE-2021-23490 | — | Hig | 0.42 | 7.5 | 0.02 | Dec 24, 2021 | The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function. | |
| CVE-2021-43854 | Hig | 0.42 | 7.5 | 0.03 | Dec 23, 2021 | NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The… | ||
| CVE-2020-35210 | — | Med | 0.42 | 6.5 | 0.01 | Dec 16, 2021 | A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages. | |
| CVE-2021-42836 | — | Hig | 0.42 | 7.5 | 0.02 | Oct 22, 2021 | GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack. | |
| CVE-2021-41167 | Hig | 0.42 | 7.5 | 0.02 | Oct 20, 2021 | modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,… | ||
| CVE-2021-37137 | — | Hig | 0.42 | 7.5 | 0.06 | Oct 19, 2021 | The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be… | |
| CVE-2021-37136 | — | Hig | 0.42 | 7.5 | 0.06 | Oct 19, 2021 | The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack | |
| CVE-2021-3822 | Hig | 0.42 | 7.5 | 0.01 | Sep 27, 2021 | jsoneditor is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2021-39229 | Hig | 0.42 | 7.5 | 0.02 | Sep 20, 2021 | Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a… | ||
| CVE-2021-32838 | Hig | 0.42 | 7.5 | 0.02 | Sep 20, 2021 | Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS (Regular Expression Denial of Service) in email_regex. This is fixed in version 0.5.1. | ||
| CVE-2021-32839 | Hig | 0.42 | 7.5 | 0.02 | Sep 20, 2021 | sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n'… | ||
| CVE-2021-3795 | — | Hig | 0.42 | 7.5 | 0.01 | Sep 15, 2021 | semver-regex is vulnerable to Inefficient Regular Expression Complexity | |
| CVE-2021-3794 | Hig | 0.42 | 7.5 | 0.01 | Sep 15, 2021 | vuelidate is vulnerable to Inefficient Regular Expression Complexity |
- risk 0.42cvss 7.5epss 0.02
Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant…
- risk 0.42cvss 7.5epss 0.08
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service…
- risk 0.42cvss 7.5epss 0.05
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
- risk 0.42cvss 7.5epss 0.03
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable…
- risk 0.42cvss 7.5epss 0.02
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where…
- risk 0.42cvss 7.5epss 0.04
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 for Rust. There is a panic if UTCTime data, supplied by a remote attacker, has a second character greater than 0x7f.
- risk 0.42cvss 7.5epss 0.02
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
- risk 0.42cvss 7.5epss 0.03
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The…
- risk 0.42cvss 6.5epss 0.01
A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.
- risk 0.42cvss 7.5epss 0.02
GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.
- risk 0.42cvss 7.5epss 0.02
modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,…
- risk 0.42cvss 7.5epss 0.06
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be…
- risk 0.42cvss 7.5epss 0.06
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
- risk 0.42cvss 7.5epss 0.01
jsoneditor is vulnerable to Inefficient Regular Expression Complexity
- risk 0.42cvss 7.5epss 0.02
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a…
- risk 0.42cvss 7.5epss 0.02
Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS (Regular Expression Denial of Service) in email_regex. This is fixed in version 0.5.1.
- risk 0.42cvss 7.5epss 0.02
sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n'…
- risk 0.42cvss 7.5epss 0.01
semver-regex is vulnerable to Inefficient Regular Expression Complexity
- risk 0.42cvss 7.5epss 0.01
vuelidate is vulnerable to Inefficient Regular Expression Complexity