CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 74 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-36078 | 0.00 | — | 0.01 | Sep 2, 2022 | Binary provides encoding/decoding in Borsh and other formats. The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with (arbitrary) excessive size value, which can either exhaust available memory or crash the whole program.… | |||
| CVE-2022-36055 | 0.00 | — | 0.01 | Sep 1, 2022 | Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns… | |||
| CVE-2022-25857 | — | 0.00 | — | 0.02 | Aug 30, 2022 | The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | ||
| CVE-2021-3859 | — | 0.00 | — | 0.01 | Aug 26, 2022 | A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks. | ||
| CVE-2021-42521 | 0.00 | — | 0.01 | Aug 25, 2022 | There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that… | |||
| CVE-2022-24375 | 0.00 | — | 0.01 | Aug 24, 2022 | The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False. | |||
| CVE-2021-3690 | — | 0.00 | — | 0.01 | Aug 23, 2022 | A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability. | ||
| CVE-2022-25888 | — | 0.00 | — | 0.01 | Aug 23, 2022 | The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge… | ||
| CVE-2022-21208 | 0.00 | — | 0.01 | Aug 23, 2022 | The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of… | |||
| CVE-2022-25304 | — | 0.00 | — | 0.01 | Aug 23, 2022 | All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by… | ||
| CVE-2022-2053 | — | 0.00 | — | 0.01 | Aug 5, 2022 | When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking… | ||
| CVE-2022-35923 | 0.00 | — | 0.01 | Aug 2, 2022 | v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload… | |||
| CVE-2022-35922 | 0.00 | — | 0.01 | Aug 1, 2022 | Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would… | |||
| CVE-2022-35915 | 0.00 | — | 0.01 | Aug 1, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue… | |||
| CVE-2022-31173 | — | 0.00 | — | 0.01 | Aug 1, 2022 | Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion… | ||
| CVE-2022-2596 | 0.00 | — | 0.01 | Aug 1, 2022 | Inefficient Regular Expression Complexity in GitHub repository node-fetch/node-fetch prior to 3.2.10. | |||
| CVE-2022-24294 | — | 0.00 | — | 0.02 | Jul 24, 2022 | A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular… | ||
| CVE-2022-25891 | — | 0.00 | — | 0.01 | Jul 15, 2022 | The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service (DoS) via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages. | ||
| CVE-2022-31781 | 0.00 | — | 0.02 | Jul 13, 2022 | Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the… | |||
| CVE-2022-31080 | 0.00 | — | 0.01 | Jul 11, 2022 | KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, a large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of… |
- CVE-2022-36078Sep 2, 2022risk 0.00cvss —epss 0.01
Binary provides encoding/decoding in Borsh and other formats. The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with (arbitrary) excessive size value, which can either exhaust available memory or crash the whole program.…
- CVE-2022-36055Sep 1, 2022risk 0.00cvss —epss 0.01
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns…
- CVE-2022-25857Aug 30, 2022risk 0.00cvss —epss 0.02
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
- CVE-2021-3859Aug 26, 2022risk 0.00cvss —epss 0.01
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
- CVE-2021-42521Aug 25, 2022risk 0.00cvss —epss 0.01
There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that…
- CVE-2022-24375Aug 24, 2022risk 0.00cvss —epss 0.01
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.
- CVE-2021-3690Aug 23, 2022risk 0.00cvss —epss 0.01
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
- CVE-2022-25888Aug 23, 2022risk 0.00cvss —epss 0.01
The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge…
- CVE-2022-21208Aug 23, 2022risk 0.00cvss —epss 0.01
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of…
- CVE-2022-25304Aug 23, 2022risk 0.00cvss —epss 0.01
All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by…
- CVE-2022-2053Aug 5, 2022risk 0.00cvss —epss 0.01
When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking…
- CVE-2022-35923Aug 2, 2022risk 0.00cvss —epss 0.01
v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload…
- CVE-2022-35922Aug 1, 2022risk 0.00cvss —epss 0.01
Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would…
- CVE-2022-35915Aug 1, 2022risk 0.00cvss —epss 0.01
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue…
- CVE-2022-31173Aug 1, 2022risk 0.00cvss —epss 0.01
Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion…
- CVE-2022-2596Aug 1, 2022risk 0.00cvss —epss 0.01
Inefficient Regular Expression Complexity in GitHub repository node-fetch/node-fetch prior to 3.2.10.
- CVE-2022-24294Jul 24, 2022risk 0.00cvss —epss 0.02
A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular…
- CVE-2022-25891Jul 15, 2022risk 0.00cvss —epss 0.01
The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service (DoS) via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages.
- CVE-2022-31781Jul 13, 2022risk 0.00cvss —epss 0.02
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the…
- CVE-2022-31080Jul 11, 2022risk 0.00cvss —epss 0.01
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, a large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of…