CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 77 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-0671 | — | 0.00 | — | 0.01 | Feb 18, 2022 | A flaw was found in vscode-xml in versions prior to 0.19.0. Schema download could lead to blind SSRF or DoS via a large file. | ||
| CVE-2022-24684 | 0.00 | — | 0.01 | Feb 15, 2022 | HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6. | |||
| CVE-2022-21698 | — | 0.00 | — | 0.06 | Feb 15, 2022 | client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through… | ||
| CVE-2021-23597 | — | 0.00 | — | 0.02 | Feb 11, 2022 | This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382). | ||
| CVE-2022-23580 | 0.00 | — | 0.01 | Feb 4, 2022 | Tensorflow is an Open Source Machine Learning Framework. During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1,… | |||
| CVE-2022-23591 | 0.00 | — | 0.01 | Feb 4, 2022 | Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when… | |||
| CVE-2022-21733 | 0.00 | — | 0.01 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of `StringNGrams` can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. We are missing a validation on `pad_witdh` and that result in… | |||
| CVE-2022-21732 | 0.00 | — | 0.01 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num_threads` argument is only checked to not be negative, but there is no upper… | |||
| CVE-2021-43859 | 0.00 | — | 0.08 | Feb 1, 2022 | XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service… | |||
| CVE-2022-23596 | — | 0.00 | — | 0.02 | Feb 1, 2022 | Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant… | ||
| CVE-2022-21721 | — | 0.00 | — | 0.02 | Jan 28, 2022 | Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom… | ||
| CVE-2022-21708 | — | 0.00 | — | 0.01 | Jan 21, 2022 | graphql-go is a GraphQL server with a focus on ease of use. In versions prior to 1.3.0 there exists a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with… | ||
| CVE-2022-23837 | 0.00 | — | 0.05 | Jan 21, 2022 | In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users. | |||
| CVE-2022-21700 | 0.00 | — | 0.01 | Jan 18, 2022 | Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. In affected versions sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type… | |||
| CVE-2022-21689 | 0.00 | — | 0.01 | Jan 18, 2022 | OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which… | |||
| CVE-2022-21680 | 0.00 | — | 0.03 | Jan 14, 2022 | Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable… | |||
| CVE-2022-21670 | — | 0.00 | — | 0.02 | Jan 10, 2022 | markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading. | ||
| CVE-2022-21653 | 0.00 | — | 0.01 | Jan 5, 2022 | Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not… | |||
| CVE-2021-45115 | — | 0.00 | — | 0.02 | Jan 4, 2022 | An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where… | ||
| CVE-2021-44716 | — | 0.00 | — | 0.04 | Jan 1, 2022 | net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. |
- CVE-2022-0671Feb 18, 2022risk 0.00cvss —epss 0.01
A flaw was found in vscode-xml in versions prior to 0.19.0. Schema download could lead to blind SSRF or DoS via a large file.
- CVE-2022-24684Feb 15, 2022risk 0.00cvss —epss 0.01
HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.
- CVE-2022-21698Feb 15, 2022risk 0.00cvss —epss 0.06
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through…
- CVE-2021-23597Feb 11, 2022risk 0.00cvss —epss 0.02
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).
- CVE-2022-23580Feb 4, 2022risk 0.00cvss —epss 0.01
Tensorflow is an Open Source Machine Learning Framework. During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1,…
- CVE-2022-23591Feb 4, 2022risk 0.00cvss —epss 0.01
Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when…
- CVE-2022-21733Feb 3, 2022risk 0.00cvss —epss 0.01
Tensorflow is an Open Source Machine Learning Framework. The implementation of `StringNGrams` can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. We are missing a validation on `pad_witdh` and that result in…
- CVE-2022-21732Feb 3, 2022risk 0.00cvss —epss 0.01
Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num_threads` argument is only checked to not be negative, but there is no upper…
- CVE-2021-43859Feb 1, 2022risk 0.00cvss —epss 0.08
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service…
- CVE-2022-23596Feb 1, 2022risk 0.00cvss —epss 0.02
Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant…
- CVE-2022-21721Jan 28, 2022risk 0.00cvss —epss 0.02
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom…
- CVE-2022-21708Jan 21, 2022risk 0.00cvss —epss 0.01
graphql-go is a GraphQL server with a focus on ease of use. In versions prior to 1.3.0 there exists a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with…
- CVE-2022-23837Jan 21, 2022risk 0.00cvss —epss 0.05
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
- CVE-2022-21700Jan 18, 2022risk 0.00cvss —epss 0.01
Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. In affected versions sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type…
- CVE-2022-21689Jan 18, 2022risk 0.00cvss —epss 0.01
OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which…
- CVE-2022-21680Jan 14, 2022risk 0.00cvss —epss 0.03
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable…
- CVE-2022-21670Jan 10, 2022risk 0.00cvss —epss 0.02
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.
- CVE-2022-21653Jan 5, 2022risk 0.00cvss —epss 0.01
Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not…
- CVE-2021-45115Jan 4, 2022risk 0.00cvss —epss 0.02
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where…
- CVE-2021-44716Jan 1, 2022risk 0.00cvss —epss 0.04
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.