VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 83 of 93
  • CVE-2021-23341Feb 18, 2021
    risk 0.00cvss epss 0.03

    The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

  • CVE-2020-28496Feb 18, 2021
    risk 0.00cvss epss 0.03

    This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time =…

  • CVE-2021-21317Feb 16, 2021
    risk 0.00cvss epss 0.03

    uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows…

  • CVE-2020-28500Feb 15, 2021
    risk 0.00cvss epss 0.07

    Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

  • CVE-2020-13949Feb 12, 2021
    risk 0.00cvss epss 0.07

    In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

  • CVE-2021-27191Feb 11, 2021
    risk 0.00cvss epss 0.02

    The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion.

  • CVE-2021-22880Feb 11, 2021
    risk 0.00cvss epss 0.04

    The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too…

  • CVE-2021-21306Feb 8, 2021
    risk 0.00cvss epss 0.02

    Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked.…

  • CVE-2021-21240Feb 8, 2021
    risk 0.00cvss epss 0.04

    httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2…

  • CVE-2020-28449Feb 4, 2021
    risk 0.00cvss epss 0.02

    This affects all versions of package decal. The vulnerability is in the set function.

  • CVE-2020-28450Feb 4, 2021
    risk 0.00cvss epss 0.02

    This affects all versions of package decal. The vulnerability is in the extend function.

  • CVE-2021-21294Feb 2, 2021
    risk 0.00cvss epss 0.02

    Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections…

  • CVE-2021-21293Feb 2, 2021
    risk 0.00cvss epss 0.02

    blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections…

  • CVE-2021-25912Feb 2, 2021
    risk 0.00cvss epss 0.03

    Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.

  • CVE-2021-21285Feb 2, 2021
    risk 0.00cvss epss 0.03

    In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

  • CVE-2020-28495Feb 2, 2021
    risk 0.00cvss epss 0.04

    This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the…

  • CVE-2020-28493Feb 1, 2021
    risk 0.00cvss epss 0.04

    This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be…

  • CVE-2021-23329Jan 31, 2021
    risk 0.00cvss epss 0.02

    The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.

  • CVE-2021-21254Jan 29, 2021
    risk 0.00cvss epss 0.02

    CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition…

  • CVE-2021-26306Jan 29, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It has unsound transmute calls within as_string() methods.