CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 44 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-0285 | Med | 0.42 | 6.5 | 0.03 | May 2, 2018 | A vulnerability in service logging for Cisco Prime Service Catalog could allow an authenticated, remote attacker to deny service to the user interface. The vulnerability is due to exhaustion of disk space. An attacker could exploit this vulnerability by performing certain… | ||
| CVE-2018-1277 | Med | 0.42 | 6.5 | 0.01 | Apr 30, 2018 | Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctly enforce disc quotas for Docker image layers. A remote authenticated user may push an app with a malicious Docker image that will consume more space on a Diego cell than allocated in their quota, potentially… | ||
| CVE-2018-7876 | Med | 0.42 | 6.5 | 0.02 | Mar 8, 2018 | In libming 0.4.8, a memory exhaustion vulnerability was found in the function parseSWF_ACTIONRECORD in util/parser.c, which allows remote attackers to cause a denial of service via a crafted file. | ||
| CVE-2017-18214 | — | Hig | 0.42 | 7.5 | 0.04 | Mar 4, 2018 | The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055. | |
| CVE-2018-7540 | Med | 0.42 | 6.5 | 0.00 | Feb 27, 2018 | An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via non-preemptable L3/L4 pagetable freeing. | ||
| CVE-2017-13233 | Med | 0.42 | 6.5 | 0.01 | Feb 12, 2018 | In ihevcd_ctb_boundary_strength_pbslice of libhevc, there is possible resource exhaustion. This could lead to a remote temporary denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 5.1.1, 6.0,… | ||
| CVE-2017-6198 | Med | 0.42 | 6.5 | 0.01 | Feb 6, 2018 | The Supervisor in Sandstorm doesn't set and enforce the resource limits of a process. This allows remote attackers to cause a denial of service by launching a fork bomb in the sandbox, or by using a large amount of disk space. | ||
| CVE-2017-15133 | — | Hig | 0.42 | 7.5 | 0.02 | Jan 29, 2018 | A denial of service flaw was found in miekg-dns before 1.0.4. A remote attacker could use carefully timed TCP packets to block the DNS server from accepting new connections. | |
| CVE-2018-5784 | Med | 0.42 | 6.5 | 0.03 | Jan 19, 2018 | In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is… | ||
| CVE-2016-10707 | — | Hig | 0.42 | 7.5 | 0.03 | Jan 18, 2018 | jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit. | |
| CVE-2018-0004 | Med | 0.42 | 6.5 | 0.01 | Jan 10, 2018 | A sustained sequence of different types of normal transit traffic can trigger a high CPU consumption denial of service condition in the Junos OS register and schedule software interrupt handler subsystem when a specific command is issued to the device. This affects one or more… | ||
| CVE-2017-1000476 | Med | 0.42 | 6.5 | 0.03 | Jan 3, 2018 | ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. | ||
| CVE-2016-10703 | Hig | 0.42 | 7.5 | 0.03 | Dec 14, 2017 | A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by passing a maliciously crafted string. | ||
| CVE-2017-17682 | Med | 0.42 | 6.5 | 0.03 | Dec 14, 2017 | In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted wpg image file that triggers a ReadWPGImage call. | ||
| CVE-2017-15701 | Hig | 0.42 | 7.5 | 0.04 | Dec 1, 2017 | In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older… | ||
| CVE-2017-12190 | Med | 0.42 | 6.5 | 0.01 | Nov 22, 2017 | The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference… | ||
| CVE-2017-14696 | Hig | 0.42 | 7.5 | 0.03 | Oct 24, 2017 | SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. | ||
| CVE-2014-7813 | Med | 0.42 | 6.5 | 0.01 | Oct 18, 2017 | Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols. | ||
| CVE-2017-15010 | Hig | 0.42 | 7.5 | 0.03 | Oct 4, 2017 | A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU. | ||
| CVE-2017-14342 | Med | 0.42 | 6.5 | 0.01 | Sep 12, 2017 | ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in ReadWPGImage in coders/wpg.c via a crafted wpg image file. |
- risk 0.42cvss 6.5epss 0.03
A vulnerability in service logging for Cisco Prime Service Catalog could allow an authenticated, remote attacker to deny service to the user interface. The vulnerability is due to exhaustion of disk space. An attacker could exploit this vulnerability by performing certain…
- risk 0.42cvss 6.5epss 0.01
Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctly enforce disc quotas for Docker image layers. A remote authenticated user may push an app with a malicious Docker image that will consume more space on a Diego cell than allocated in their quota, potentially…
- risk 0.42cvss 6.5epss 0.02
In libming 0.4.8, a memory exhaustion vulnerability was found in the function parseSWF_ACTIONRECORD in util/parser.c, which allows remote attackers to cause a denial of service via a crafted file.
- risk 0.42cvss 7.5epss 0.04
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via non-preemptable L3/L4 pagetable freeing.
- risk 0.42cvss 6.5epss 0.01
In ihevcd_ctb_boundary_strength_pbslice of libhevc, there is possible resource exhaustion. This could lead to a remote temporary denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 5.1.1, 6.0,…
- risk 0.42cvss 6.5epss 0.01
The Supervisor in Sandstorm doesn't set and enforce the resource limits of a process. This allows remote attackers to cause a denial of service by launching a fork bomb in the sandbox, or by using a large amount of disk space.
- risk 0.42cvss 7.5epss 0.02
A denial of service flaw was found in miekg-dns before 1.0.4. A remote attacker could use carefully timed TCP packets to block the DNS server from accepting new connections.
- risk 0.42cvss 6.5epss 0.03
In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is…
- risk 0.42cvss 7.5epss 0.03
jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.
- risk 0.42cvss 6.5epss 0.01
A sustained sequence of different types of normal transit traffic can trigger a high CPU consumption denial of service condition in the Junos OS register and schedule software interrupt handler subsystem when a specific command is issued to the device. This affects one or more…
- risk 0.42cvss 6.5epss 0.03
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
- risk 0.42cvss 7.5epss 0.03
A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by passing a maliciously crafted string.
- risk 0.42cvss 6.5epss 0.03
In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted wpg image file that triggers a ReadWPGImage call.
- risk 0.42cvss 7.5epss 0.04
In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older…
- risk 0.42cvss 6.5epss 0.01
The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference…
- risk 0.42cvss 7.5epss 0.03
SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
- risk 0.42cvss 6.5epss 0.01
Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols.
- risk 0.42cvss 7.5epss 0.03
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
- risk 0.42cvss 6.5epss 0.01
ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in ReadWPGImage in coders/wpg.c via a crafted wpg image file.