CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 82 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-28501 | — | 0.00 | — | 0.01 | Mar 22, 2021 | This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators. | ||
| CVE-2021-21267 | 0.00 | — | 0.02 | Mar 19, 2021 | Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0… | |||
| CVE-2021-25292 | — | 0.00 | — | 0.02 | Mar 19, 2021 | An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. | ||
| CVE-2021-27292 | — | 0.00 | — | 0.03 | Mar 17, 2021 | ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. | ||
| CVE-2021-27291 | — | 0.00 | — | 0.04 | Mar 17, 2021 | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a… | ||
| CVE-2021-27576 | 0.00 | — | 0.03 | Mar 15, 2021 | If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0 | |||
| CVE-2021-27290 | — | 0.00 | — | 0.05 | Mar 12, 2021 | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. | ||
| CVE-2021-28092 | — | 0.00 | — | 0.02 | Mar 12, 2021 | The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time. | ||
| CVE-2021-23354 | — | 0.00 | — | 0.02 | Mar 12, 2021 | The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic… | ||
| CVE-2021-23353 | — | 0.00 | — | 0.03 | Mar 9, 2021 | This affects the package jspdf before 2.3.1. ReDoS is possible via the addImage function. | ||
| CVE-2021-23351 | 0.00 | — | 0.02 | Mar 8, 2021 | The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no… | |||
| CVE-2020-28466 | 0.00 | — | 0.04 | Mar 7, 2021 | This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users… | |||
| CVE-2021-23346 | 0.00 | — | 0.02 | Mar 4, 2021 | This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process. | |||
| CVE-2021-27921 | — | 0.00 | — | 0.03 | Mar 3, 2021 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. | ||
| CVE-2021-27922 | — | 0.00 | — | 0.05 | Mar 3, 2021 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. | ||
| CVE-2021-27923 | — | 0.00 | — | 0.03 | Mar 3, 2021 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. | ||
| CVE-2021-21274 | 0.00 | — | 0.02 | Feb 26, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large… | |||
| CVE-2021-21328 | 0.00 | — | 0.02 | Feb 26, 2021 | Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will… | |||
| CVE-2020-27782 | — | 0.00 | — | 0.01 | Feb 23, 2021 | A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system… | ||
| CVE-2021-27405 | — | 0.00 | — | 0.02 | Feb 19, 2021 | A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js. |
- CVE-2020-28501Mar 22, 2021risk 0.00cvss —epss 0.01
This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators.
- CVE-2021-21267Mar 19, 2021risk 0.00cvss —epss 0.02
Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0…
- CVE-2021-25292Mar 19, 2021risk 0.00cvss —epss 0.02
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
- CVE-2021-27292Mar 17, 2021risk 0.00cvss —epss 0.03
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
- CVE-2021-27291Mar 17, 2021risk 0.00cvss —epss 0.04
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a…
- CVE-2021-27576Mar 15, 2021risk 0.00cvss —epss 0.03
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
- CVE-2021-27290Mar 12, 2021risk 0.00cvss —epss 0.05
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
- CVE-2021-28092Mar 12, 2021risk 0.00cvss —epss 0.02
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
- CVE-2021-23354Mar 12, 2021risk 0.00cvss —epss 0.02
The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic…
- CVE-2021-23353Mar 9, 2021risk 0.00cvss —epss 0.03
This affects the package jspdf before 2.3.1. ReDoS is possible via the addImage function.
- CVE-2021-23351Mar 8, 2021risk 0.00cvss —epss 0.02
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no…
- CVE-2020-28466Mar 7, 2021risk 0.00cvss —epss 0.04
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users…
- CVE-2021-23346Mar 4, 2021risk 0.00cvss —epss 0.02
This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
- CVE-2021-27921Mar 3, 2021risk 0.00cvss —epss 0.03
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
- CVE-2021-27922Mar 3, 2021risk 0.00cvss —epss 0.05
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
- CVE-2021-27923Mar 3, 2021risk 0.00cvss —epss 0.03
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
- CVE-2021-21274Feb 26, 2021risk 0.00cvss —epss 0.02
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large…
- CVE-2021-21328Feb 26, 2021risk 0.00cvss —epss 0.02
Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will…
- CVE-2020-27782Feb 23, 2021risk 0.00cvss —epss 0.01
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system…
- CVE-2021-27405Feb 19, 2021risk 0.00cvss —epss 0.02
A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js.