VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 80 of 93
  • CVE-2021-30468Jun 16, 2021
    risk 0.00cvss epss 0.07

    A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache…

  • CVE-2021-22902Jun 11, 2021
    risk 0.00cvss epss 0.03

    The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser…

  • CVE-2021-22904Jun 11, 2021
    risk 0.00cvss epss 0.05

    The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token`…

  • CVE-2021-23392Jun 8, 2021
    risk 0.00cvss epss 0.02

    The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.

  • CVE-2020-28469Jun 3, 2021
    risk 0.00cvss epss 0.04

    This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

  • CVE-2021-28677Jun 2, 2021
    risk 0.00cvss epss 0.02

    An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A…

  • CVE-2020-35510Jun 2, 2021
    risk 0.00cvss epss 0.01

    A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redhat-00001. A malicious attacker could cause threads to hold up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the…

  • CVE-2020-14340Jun 2, 2021
    risk 0.00cvss epss 0.02

    A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.

  • CVE-2020-14326Jun 2, 2021
    risk 0.00cvss epss 0.01

    A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.

  • CVE-2020-1920Jun 1, 2021
    risk 0.00cvss epss 0.01

    A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.

  • CVE-2021-23388May 31, 2021
    risk 0.00cvss epss 0.02

    The package forms before 1.2.1, from 1.3.0 and before 1.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via email validation.

  • CVE-2021-33587May 28, 2021
    risk 0.00cvss epss 0.02

    The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

  • CVE-2021-33623May 28, 2021
    risk 0.00cvss epss 0.03

    The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

  • CVE-2021-32640May 25, 2021
    risk 0.00cvss epss 0.03

    ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425e…

  • CVE-2021-33502May 24, 2021
    risk 0.00cvss epss 0.02

    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

  • CVE-2021-29506May 13, 2021
    risk 0.00cvss epss 0.01

    GraphHopper is an open-source Java routing engine. In GrassHopper from version 2.0 and before version 2.4, there is a regular expression injection vulnerability that may lead to Denial of Service. This has been patched in 2.4 and 3.0 See this pull request for the fix:…

  • CVE-2021-29509May 11, 2021
    risk 0.00cvss epss 0.02

    Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all…

  • CVE-2021-29471May 11, 2021
    risk 0.00cvss epss 0.02

    Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including…

  • CVE-2021-32053May 10, 2021
    risk 0.00cvss epss 0.02

    JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server…

  • CVE-2021-21419May 7, 2021
    risk 0.00cvss epss 0.02

    Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts…