VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 81 of 93
  • CVE-2021-31409May 5, 2021
    risk 0.00cvss epss 0.02

    Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

  • CVE-2021-23343May 4, 2021
    risk 0.00cvss epss 0.02

    All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

  • CVE-2021-21391Apr 29, 2021
    risk 0.00cvss epss 0.02

    CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal…

  • CVE-2021-23364Apr 28, 2021
    risk 0.00cvss epss 0.02

    The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

  • CVE-2021-23382Apr 26, 2021
    risk 0.00cvss epss 0.03

    The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).

  • CVE-2021-29469Apr 23, 2021
    risk 0.00cvss epss 0.02

    Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version…

  • CVE-2021-31405Apr 23, 2021
    risk 0.00cvss epss 0.01

    Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting…

  • CVE-2020-36320Apr 23, 2021
    risk 0.00cvss epss 0.02

    Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

  • CVE-2021-29430Apr 15, 2021
    risk 0.00cvss epss 0.02

    Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response…

  • CVE-2021-29433Apr 15, 2021
    risk 0.00cvss epss 0.01

    Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 and prior, sissing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. A patch for…

  • CVE-2021-23368Apr 12, 2021
    risk 0.00cvss epss 0.04

    The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

  • CVE-2021-23371Apr 12, 2021
    risk 0.00cvss epss 0.02

    This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.

  • CVE-2021-22696Apr 2, 2021
    risk 0.00cvss epss 0.07

    CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also…

  • CVE-2021-20291Apr 1, 2021
    risk 0.00cvss epss 0.02

    A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation…

  • CVE-2021-29932Apr 1, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the parse_duration crate through 2021-03-18 for Rust. It allows attackers to cause a denial of service (CPU and memory consumption) via a duration string with a large exponent.

  • CVE-2021-28657Mar 31, 2021
    risk 0.00cvss epss 0.03

    A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

  • CVE-2018-1109Mar 30, 2021
    risk 0.00cvss epss 0.01

    A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

  • CVE-2018-1107Mar 30, 2021
    risk 0.00cvss epss 0.01

    It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.

  • CVE-2021-23362Mar 23, 2021
    risk 0.00cvss epss 0.04

    The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

  • CVE-2021-21348Mar 22, 2021
    risk 0.00cvss epss 0.14

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the…