CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 81 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-31409 | 0.00 | — | 0.02 | May 5, 2021 | Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. | |||
| CVE-2021-23343 | — | 0.00 | — | 0.02 | May 4, 2021 | All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. | ||
| CVE-2021-21391 | 0.00 | — | 0.02 | Apr 29, 2021 | CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal… | |||
| CVE-2021-23364 | — | 0.00 | — | 0.02 | Apr 28, 2021 | The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries. | ||
| CVE-2021-23382 | — | 0.00 | — | 0.03 | Apr 26, 2021 | The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*). | ||
| CVE-2021-29469 | — | 0.00 | — | 0.02 | Apr 23, 2021 | Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version… | ||
| CVE-2021-31405 | 0.00 | — | 0.01 | Apr 23, 2021 | Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting… | |||
| CVE-2020-36320 | 0.00 | — | 0.02 | Apr 23, 2021 | Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. | |||
| CVE-2021-29430 | 0.00 | — | 0.02 | Apr 15, 2021 | Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response… | |||
| CVE-2021-29433 | 0.00 | — | 0.01 | Apr 15, 2021 | Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 and prior, sissing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. A patch for… | |||
| CVE-2021-23368 | — | 0.00 | — | 0.04 | Apr 12, 2021 | The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing. | ||
| CVE-2021-23371 | 0.00 | — | 0.02 | Apr 12, 2021 | This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces. | |||
| CVE-2021-22696 | 0.00 | — | 0.07 | Apr 2, 2021 | CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also… | |||
| CVE-2021-20291 | 0.00 | — | 0.02 | Apr 1, 2021 | A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation… | |||
| CVE-2021-29932 | — | 0.00 | — | 0.01 | Apr 1, 2021 | An issue was discovered in the parse_duration crate through 2021-03-18 for Rust. It allows attackers to cause a denial of service (CPU and memory consumption) via a duration string with a large exponent. | ||
| CVE-2021-28657 | 0.00 | — | 0.03 | Mar 31, 2021 | A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. | |||
| CVE-2018-1109 | — | 0.00 | — | 0.01 | Mar 30, 2021 | A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. | ||
| CVE-2018-1107 | — | 0.00 | — | 0.01 | Mar 30, 2021 | It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated. | ||
| CVE-2021-23362 | — | 0.00 | — | 0.04 | Mar 23, 2021 | The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. | ||
| CVE-2021-21348 | 0.00 | — | 0.14 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the… |
- CVE-2021-31409May 5, 2021risk 0.00cvss —epss 0.02
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
- CVE-2021-23343May 4, 2021risk 0.00cvss —epss 0.02
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
- CVE-2021-21391Apr 29, 2021risk 0.00cvss —epss 0.02
CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal…
- CVE-2021-23364Apr 28, 2021risk 0.00cvss —epss 0.02
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
- CVE-2021-23382Apr 26, 2021risk 0.00cvss —epss 0.03
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
- CVE-2021-29469Apr 23, 2021risk 0.00cvss —epss 0.02
Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version…
- CVE-2021-31405Apr 23, 2021risk 0.00cvss —epss 0.01
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting…
- CVE-2020-36320Apr 23, 2021risk 0.00cvss —epss 0.02
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
- CVE-2021-29430Apr 15, 2021risk 0.00cvss —epss 0.02
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response…
- CVE-2021-29433Apr 15, 2021risk 0.00cvss —epss 0.01
Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 and prior, sissing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. A patch for…
- CVE-2021-23368Apr 12, 2021risk 0.00cvss —epss 0.04
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
- CVE-2021-23371Apr 12, 2021risk 0.00cvss —epss 0.02
This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
- CVE-2021-22696Apr 2, 2021risk 0.00cvss —epss 0.07
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also…
- CVE-2021-20291Apr 1, 2021risk 0.00cvss —epss 0.02
A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation…
- CVE-2021-29932Apr 1, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the parse_duration crate through 2021-03-18 for Rust. It allows attackers to cause a denial of service (CPU and memory consumption) via a duration string with a large exponent.
- CVE-2021-28657Mar 31, 2021risk 0.00cvss —epss 0.03
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
- CVE-2018-1109Mar 30, 2021risk 0.00cvss —epss 0.01
A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
- CVE-2018-1107Mar 30, 2021risk 0.00cvss —epss 0.01
It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.
- CVE-2021-23362Mar 23, 2021risk 0.00cvss —epss 0.04
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
- CVE-2021-21348Mar 22, 2021risk 0.00cvss —epss 0.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the…