CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 41 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-27576 | Hig | 0.42 | 7.5 | 0.03 | Mar 15, 2021 | If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0 | ||
| CVE-2021-28092 | — | Hig | 0.42 | 7.5 | 0.02 | Mar 12, 2021 | The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time. | |
| CVE-2021-27290 | — | Hig | 0.42 | 7.5 | 0.05 | Mar 12, 2021 | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. | |
| CVE-2021-27923 | — | Hig | 0.42 | 7.5 | 0.03 | Mar 3, 2021 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. | |
| CVE-2021-27922 | — | Hig | 0.42 | 7.5 | 0.05 | Mar 3, 2021 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. | |
| CVE-2021-27921 | — | Hig | 0.42 | 7.5 | 0.03 | Mar 3, 2021 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. | |
| CVE-2021-23341 | Hig | 0.42 | 7.5 | 0.03 | Feb 18, 2021 | The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components. | ||
| CVE-2020-13949 | Hig | 0.42 | 7.5 | 0.07 | Feb 12, 2021 | In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. | ||
| CVE-2021-27191 | — | Hig | 0.42 | 7.5 | 0.02 | Feb 11, 2021 | The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion. | |
| CVE-2021-21240 | Hig | 0.42 | 7.5 | 0.04 | Feb 8, 2021 | httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2… | ||
| CVE-2021-21294 | — | Hig | 0.42 | 7.5 | 0.02 | Feb 2, 2021 | Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections… | |
| CVE-2021-21293 | — | Hig | 0.42 | 7.5 | 0.02 | Feb 2, 2021 | blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections… | |
| CVE-2021-21254 | Med | 0.42 | 6.5 | 0.02 | Jan 29, 2021 | CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition… | ||
| CVE-2020-36049 | — | Hig | 0.42 | 7.5 | 0.03 | Jan 8, 2021 | socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used. | |
| CVE-2020-36048 | — | Hig | 0.42 | 7.5 | 0.03 | Jan 8, 2021 | Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport. | |
| CVE-2020-36066 | — | Hig | 0.42 | 7.5 | 0.02 | Jan 5, 2021 | GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON. | |
| CVE-2020-7771 | — | Hig | 0.42 | 7.5 | 0.02 | Jan 4, 2021 | The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | |
| CVE-2020-35857 | — | Hig | 0.42 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the trust-dns-server crate before 0.18.1 for Rust. DNS MX and SRV null targets are mishandled, causing stack consumption. | |
| CVE-2020-26289 | Hig | 0.42 | 7.5 | 0.02 | Dec 28, 2020 | date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2. | ||
| CVE-2020-35380 | — | Hig | 0.42 | 7.5 | 0.02 | Dec 15, 2020 | GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON. |
- risk 0.42cvss 7.5epss 0.03
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
- risk 0.42cvss 7.5epss 0.02
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
- risk 0.42cvss 7.5epss 0.05
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
- risk 0.42cvss 7.5epss 0.03
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
- risk 0.42cvss 7.5epss 0.05
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
- risk 0.42cvss 7.5epss 0.03
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
- risk 0.42cvss 7.5epss 0.03
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
- risk 0.42cvss 7.5epss 0.07
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
- risk 0.42cvss 7.5epss 0.02
The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion.
- risk 0.42cvss 7.5epss 0.04
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2…
- risk 0.42cvss 7.5epss 0.02
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections…
- risk 0.42cvss 7.5epss 0.02
blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections…
- risk 0.42cvss 6.5epss 0.02
CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition…
- risk 0.42cvss 7.5epss 0.03
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
- risk 0.42cvss 7.5epss 0.03
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
- risk 0.42cvss 7.5epss 0.02
GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.
- risk 0.42cvss 7.5epss 0.02
The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in the trust-dns-server crate before 0.18.1 for Rust. DNS MX and SRV null targets are mishandled, causing stack consumption.
- risk 0.42cvss 7.5epss 0.02
date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2.
- risk 0.42cvss 7.5epss 0.02
GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON.