VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 82 of 93
  • CVE-2020-28501Mar 22, 2021
    risk 0.00cvss epss 0.01

    This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators.

  • CVE-2021-21267Mar 19, 2021
    risk 0.00cvss epss 0.02

    Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0…

  • CVE-2021-25292Mar 19, 2021
    risk 0.00cvss epss 0.02

    An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.

  • CVE-2021-27292Mar 17, 2021
    risk 0.00cvss epss 0.03

    ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

  • CVE-2021-27291Mar 17, 2021
    risk 0.00cvss epss 0.04

    In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a…

  • CVE-2021-27576Mar 15, 2021
    risk 0.00cvss epss 0.03

    If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0

  • CVE-2021-27290Mar 12, 2021
    risk 0.00cvss epss 0.05

    ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

  • CVE-2021-28092Mar 12, 2021
    risk 0.00cvss epss 0.02

    The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

  • CVE-2021-23354Mar 12, 2021
    risk 0.00cvss epss 0.02

    The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic…

  • CVE-2021-23353Mar 9, 2021
    risk 0.00cvss epss 0.03

    This affects the package jspdf before 2.3.1. ReDoS is possible via the addImage function.

  • CVE-2021-23351Mar 8, 2021
    risk 0.00cvss epss 0.02

    The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no…

  • CVE-2020-28466Mar 7, 2021
    risk 0.00cvss epss 0.04

    This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users…

  • CVE-2021-23346Mar 4, 2021
    risk 0.00cvss epss 0.02

    This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.

  • CVE-2021-27921Mar 3, 2021
    risk 0.00cvss epss 0.03

    Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

  • CVE-2021-27922Mar 3, 2021
    risk 0.00cvss epss 0.05

    Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

  • CVE-2021-27923Mar 3, 2021
    risk 0.00cvss epss 0.03

    Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

  • CVE-2021-21274Feb 26, 2021
    risk 0.00cvss epss 0.02

    Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large…

  • CVE-2021-21328Feb 26, 2021
    risk 0.00cvss epss 0.02

    Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will…

  • CVE-2020-27782Feb 23, 2021
    risk 0.00cvss epss 0.01

    A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system…

  • CVE-2021-27405Feb 19, 2021
    risk 0.00cvss epss 0.02

    A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js.