VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 41 of 93
  • CVE-2021-27576HigMar 15, 2021
    risk 0.42cvss 7.5epss 0.03

    If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0

  • CVE-2021-28092HigMar 12, 2021
    risk 0.42cvss 7.5epss 0.02

    The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

  • CVE-2021-27290HigMar 12, 2021
    risk 0.42cvss 7.5epss 0.05

    ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

  • CVE-2021-27923HigMar 3, 2021
    risk 0.42cvss 7.5epss 0.03

    Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

  • CVE-2021-27922HigMar 3, 2021
    risk 0.42cvss 7.5epss 0.05

    Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

  • CVE-2021-27921HigMar 3, 2021
    risk 0.42cvss 7.5epss 0.03

    Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

  • CVE-2021-23341HigFeb 18, 2021
    risk 0.42cvss 7.5epss 0.03

    The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

  • CVE-2020-13949HigFeb 12, 2021
    risk 0.42cvss 7.5epss 0.07

    In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

  • CVE-2021-27191HigFeb 11, 2021
    risk 0.42cvss 7.5epss 0.02

    The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion.

  • CVE-2021-21240HigFeb 8, 2021
    risk 0.42cvss 7.5epss 0.04

    httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2…

  • CVE-2021-21294HigFeb 2, 2021
    risk 0.42cvss 7.5epss 0.02

    Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections…

  • CVE-2021-21293HigFeb 2, 2021
    risk 0.42cvss 7.5epss 0.02

    blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections…

  • CVE-2021-21254MedJan 29, 2021
    risk 0.42cvss 6.5epss 0.02

    CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition…

  • CVE-2020-36049HigJan 8, 2021
    risk 0.42cvss 7.5epss 0.03

    socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

  • CVE-2020-36048HigJan 8, 2021
    risk 0.42cvss 7.5epss 0.03

    Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

  • CVE-2020-36066HigJan 5, 2021
    risk 0.42cvss 7.5epss 0.02

    GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.

  • CVE-2020-7771HigJan 4, 2021
    risk 0.42cvss 7.5epss 0.02

    The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.

  • CVE-2020-35857HigDec 31, 2020
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in the trust-dns-server crate before 0.18.1 for Rust. DNS MX and SRV null targets are mishandled, causing stack consumption.

  • CVE-2020-26289HigDec 28, 2020
    risk 0.42cvss 7.5epss 0.02

    date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2.

  • CVE-2020-35380HigDec 15, 2020
    risk 0.42cvss 7.5epss 0.02

    GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON.