CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 40 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3777 | — | Hig | 0.42 | 7.5 | 0.01 | Sep 15, 2021 | nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity | |
| CVE-2021-23437 | — | Hig | 0.42 | 7.5 | 0.03 | Sep 3, 2021 | The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. | |
| CVE-2021-3749 | Hig | 0.42 | 7.5 | 0.09 | Aug 31, 2021 | axios is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2021-23429 | — | Med | 0.42 | 6.5 | 0.01 | Aug 24, 2021 | All versions of package transpile are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function. | |
| CVE-2021-23424 | — | Hig | 0.42 | 7.5 | 0.02 | Aug 18, 2021 | This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time. | |
| CVE-2021-23409 | Hig | 0.42 | 7.5 | 0.02 | Jul 21, 2021 | The package github.com/pires/go-proxyproto before 0.6.0 are vulnerable to Denial of Service (DoS) via creating connections without the proxy protocol header. | ||
| CVE-2021-32740 | Hig | 0.42 | 7.5 | 0.02 | Jul 6, 2021 | Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a… | ||
| CVE-2021-33503 | — | Hig | 0.42 | 7.5 | 0.03 | Jun 29, 2021 | An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected… | |
| CVE-2021-28677 | — | Hig | 0.42 | 7.5 | 0.02 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A… | |
| CVE-2020-1920 | Hig | 0.42 | 7.5 | 0.01 | Jun 1, 2021 | A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1. | ||
| CVE-2021-33587 | — | Hig | 0.42 | 7.5 | 0.02 | May 28, 2021 | The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. | |
| CVE-2021-33623 | — | Hig | 0.42 | 7.5 | 0.03 | May 28, 2021 | The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. | |
| CVE-2021-33502 | — | Hig | 0.42 | 7.5 | 0.02 | May 24, 2021 | The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. | |
| CVE-2021-21391 | Med | 0.42 | 6.5 | 0.02 | Apr 29, 2021 | CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal… | ||
| CVE-2020-36320 | Hig | 0.42 | 7.5 | 0.02 | Apr 23, 2021 | Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. | ||
| CVE-2021-29430 | Hig | 0.42 | 7.5 | 0.02 | Apr 15, 2021 | Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response… | ||
| CVE-2021-23371 | Hig | 0.42 | 7.5 | 0.02 | Apr 12, 2021 | This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces. | ||
| CVE-2021-22696 | Hig | 0.42 | 7.5 | 0.07 | Apr 2, 2021 | CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also… | ||
| CVE-2021-27292 | — | Hig | 0.42 | 7.5 | 0.03 | Mar 17, 2021 | ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. | |
| CVE-2021-27291 | — | Hig | 0.42 | 7.5 | 0.04 | Mar 17, 2021 | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a… |
- risk 0.42cvss 7.5epss 0.01
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity
- risk 0.42cvss 7.5epss 0.03
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
- risk 0.42cvss 7.5epss 0.09
axios is vulnerable to Inefficient Regular Expression Complexity
- risk 0.42cvss 6.5epss 0.01
All versions of package transpile are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function.
- risk 0.42cvss 7.5epss 0.02
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
- risk 0.42cvss 7.5epss 0.02
The package github.com/pires/go-proxyproto before 0.6.0 are vulnerable to Denial of Service (DoS) via creating connections without the proxy protocol header.
- risk 0.42cvss 7.5epss 0.02
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a…
- risk 0.42cvss 7.5epss 0.03
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected…
- risk 0.42cvss 7.5epss 0.02
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A…
- risk 0.42cvss 7.5epss 0.01
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.
- risk 0.42cvss 7.5epss 0.02
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
- risk 0.42cvss 7.5epss 0.03
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
- risk 0.42cvss 7.5epss 0.02
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
- risk 0.42cvss 6.5epss 0.02
CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal…
- risk 0.42cvss 7.5epss 0.02
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
- risk 0.42cvss 7.5epss 0.02
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response…
- risk 0.42cvss 7.5epss 0.02
This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
- risk 0.42cvss 7.5epss 0.07
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also…
- risk 0.42cvss 7.5epss 0.03
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
- risk 0.42cvss 7.5epss 0.04
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a…