VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 40 of 93
  • CVE-2021-3777HigSep 15, 2021
    risk 0.42cvss 7.5epss 0.01

    nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

  • CVE-2021-23437HigSep 3, 2021
    risk 0.42cvss 7.5epss 0.03

    The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

  • CVE-2021-3749HigAug 31, 2021
    risk 0.42cvss 7.5epss 0.09

    axios is vulnerable to Inefficient Regular Expression Complexity

  • CVE-2021-23429MedAug 24, 2021
    risk 0.42cvss 6.5epss 0.01

    All versions of package transpile are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function.

  • CVE-2021-23424HigAug 18, 2021
    risk 0.42cvss 7.5epss 0.02

    This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

  • CVE-2021-23409HigJul 21, 2021
    risk 0.42cvss 7.5epss 0.02

    The package github.com/pires/go-proxyproto before 0.6.0 are vulnerable to Denial of Service (DoS) via creating connections without the proxy protocol header.

  • CVE-2021-32740HigJul 6, 2021
    risk 0.42cvss 7.5epss 0.02

    Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a…

  • CVE-2021-33503HigJun 29, 2021
    risk 0.42cvss 7.5epss 0.03

    An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected…

  • CVE-2021-28677HigJun 2, 2021
    risk 0.42cvss 7.5epss 0.02

    An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A…

  • CVE-2020-1920HigJun 1, 2021
    risk 0.42cvss 7.5epss 0.01

    A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.

  • CVE-2021-33587HigMay 28, 2021
    risk 0.42cvss 7.5epss 0.02

    The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

  • CVE-2021-33623HigMay 28, 2021
    risk 0.42cvss 7.5epss 0.03

    The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

  • CVE-2021-33502HigMay 24, 2021
    risk 0.42cvss 7.5epss 0.02

    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

  • CVE-2021-21391MedApr 29, 2021
    risk 0.42cvss 6.5epss 0.02

    CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal…

  • CVE-2020-36320HigApr 23, 2021
    risk 0.42cvss 7.5epss 0.02

    Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

  • CVE-2021-29430HigApr 15, 2021
    risk 0.42cvss 7.5epss 0.02

    Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response…

  • CVE-2021-23371HigApr 12, 2021
    risk 0.42cvss 7.5epss 0.02

    This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.

  • CVE-2021-22696HigApr 2, 2021
    risk 0.42cvss 7.5epss 0.07

    CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also…

  • CVE-2021-27292HigMar 17, 2021
    risk 0.42cvss 7.5epss 0.03

    ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

  • CVE-2021-27291HigMar 17, 2021
    risk 0.42cvss 7.5epss 0.04

    In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a…