CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 78 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-45700 | — | 0.00 | — | 0.01 | Dec 26, 2021 | An issue was discovered in the ckb crate before 0.40.0 for Rust. Attackers can cause a denial of service (Nervos CKB blockchain node crash) via a dead call that is used as a DepGroup. | ||
| CVE-2021-45711 | — | 0.00 | — | 0.01 | Dec 26, 2021 | An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 for Rust. There is a panic if UTCTime data, supplied by a remote attacker, has a second character greater than 0x7f. | ||
| CVE-2021-23490 | — | 0.00 | — | 0.02 | Dec 24, 2021 | The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function. | ||
| CVE-2021-43854 | 0.00 | — | 0.03 | Dec 23, 2021 | NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The… | |||
| CVE-2021-43843 | 0.00 | — | 0.02 | Dec 20, 2021 | jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot… | |||
| CVE-2021-43838 | 0.00 | — | 0.01 | Dec 17, 2021 | jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into `` tag, an internal… | |||
| CVE-2020-35210 | — | 0.00 | — | 0.01 | Dec 16, 2021 | A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages. | ||
| CVE-2021-3912 | 0.00 | — | 0.01 | Nov 11, 2021 | OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash). | |||
| CVE-2021-3909 | 0.00 | — | 0.02 | Nov 11, 2021 | OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but… | |||
| CVE-2021-3908 | 0.00 | — | 0.01 | Nov 11, 2021 | OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end. | |||
| CVE-2021-41186 | — | 0.00 | — | 0.02 | Oct 29, 2021 | Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain… | ||
| CVE-2021-42836 | — | 0.00 | — | 0.02 | Oct 22, 2021 | GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack. | ||
| CVE-2021-41167 | 0.00 | — | 0.02 | Oct 20, 2021 | modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,… | |||
| CVE-2021-37136 | — | 0.00 | — | 0.06 | Oct 19, 2021 | The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack | ||
| CVE-2021-37137 | — | 0.00 | — | 0.06 | Oct 19, 2021 | The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be… | ||
| CVE-2021-33609 | 0.00 | — | 0.01 | Oct 13, 2021 | Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. | |||
| CVE-2021-3822 | 0.00 | — | 0.01 | Sep 27, 2021 | jsoneditor is vulnerable to Inefficient Regular Expression Complexity | |||
| CVE-2021-39229 | 0.00 | — | 0.02 | Sep 20, 2021 | Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a… | |||
| CVE-2021-32838 | 0.00 | — | 0.02 | Sep 20, 2021 | Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS (Regular Expression Denial of Service) in email_regex. This is fixed in version 0.5.1. | |||
| CVE-2021-32839 | 0.00 | — | 0.02 | Sep 20, 2021 | sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n'… |
- CVE-2021-45700Dec 26, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the ckb crate before 0.40.0 for Rust. Attackers can cause a denial of service (Nervos CKB blockchain node crash) via a dead call that is used as a DepGroup.
- CVE-2021-45711Dec 26, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 for Rust. There is a panic if UTCTime data, supplied by a remote attacker, has a second character greater than 0x7f.
- CVE-2021-23490Dec 24, 2021risk 0.00cvss —epss 0.02
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
- CVE-2021-43854Dec 23, 2021risk 0.00cvss —epss 0.03
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The…
- CVE-2021-43843Dec 20, 2021risk 0.00cvss —epss 0.02
jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot…
- CVE-2021-43838Dec 17, 2021risk 0.00cvss —epss 0.01
jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into `` tag, an internal…
- CVE-2020-35210Dec 16, 2021risk 0.00cvss —epss 0.01
A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.
- CVE-2021-3912Nov 11, 2021risk 0.00cvss —epss 0.01
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
- CVE-2021-3909Nov 11, 2021risk 0.00cvss —epss 0.02
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but…
- CVE-2021-3908Nov 11, 2021risk 0.00cvss —epss 0.01
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
- CVE-2021-41186Oct 29, 2021risk 0.00cvss —epss 0.02
Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain…
- CVE-2021-42836Oct 22, 2021risk 0.00cvss —epss 0.02
GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.
- CVE-2021-41167Oct 20, 2021risk 0.00cvss —epss 0.02
modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,…
- CVE-2021-37136Oct 19, 2021risk 0.00cvss —epss 0.06
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
- CVE-2021-37137Oct 19, 2021risk 0.00cvss —epss 0.06
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be…
- CVE-2021-33609Oct 13, 2021risk 0.00cvss —epss 0.01
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
- CVE-2021-3822Sep 27, 2021risk 0.00cvss —epss 0.01
jsoneditor is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-39229Sep 20, 2021risk 0.00cvss —epss 0.02
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a…
- CVE-2021-32838Sep 20, 2021risk 0.00cvss —epss 0.02
Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS (Regular Expression Denial of Service) in email_regex. This is fixed in version 0.5.1.
- CVE-2021-32839Sep 20, 2021risk 0.00cvss —epss 0.02
sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n'…