CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 83 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23341 | 0.00 | — | 0.03 | Feb 18, 2021 | The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components. | |||
| CVE-2020-28496 | — | 0.00 | — | 0.03 | Feb 18, 2021 | This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time =… | ||
| CVE-2021-21317 | 0.00 | — | 0.03 | Feb 16, 2021 | uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows… | |||
| CVE-2020-28500 | — | 0.00 | — | 0.07 | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | ||
| CVE-2020-13949 | 0.00 | — | 0.07 | Feb 12, 2021 | In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. | |||
| CVE-2021-27191 | — | 0.00 | — | 0.02 | Feb 11, 2021 | The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion. | ||
| CVE-2021-22880 | — | 0.00 | — | 0.04 | Feb 11, 2021 | The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too… | ||
| CVE-2021-21306 | 0.00 | — | 0.02 | Feb 8, 2021 | Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked.… | |||
| CVE-2021-21240 | 0.00 | — | 0.04 | Feb 8, 2021 | httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2… | |||
| CVE-2020-28449 | — | 0.00 | — | 0.02 | Feb 4, 2021 | This affects all versions of package decal. The vulnerability is in the set function. | ||
| CVE-2020-28450 | — | 0.00 | — | 0.02 | Feb 4, 2021 | This affects all versions of package decal. The vulnerability is in the extend function. | ||
| CVE-2021-21294 | — | 0.00 | — | 0.02 | Feb 2, 2021 | Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections… | ||
| CVE-2021-21293 | — | 0.00 | — | 0.02 | Feb 2, 2021 | blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections… | ||
| CVE-2021-25912 | — | 0.00 | — | 0.03 | Feb 2, 2021 | Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-21285 | 0.00 | — | 0.03 | Feb 2, 2021 | In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. | |||
| CVE-2020-28495 | — | 0.00 | — | 0.04 | Feb 2, 2021 | This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the… | ||
| CVE-2020-28493 | — | 0.00 | — | 0.04 | Feb 1, 2021 | This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be… | ||
| CVE-2021-23329 | — | 0.00 | — | 0.02 | Jan 31, 2021 | The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below. | ||
| CVE-2021-21254 | 0.00 | — | 0.02 | Jan 29, 2021 | CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition… | |||
| CVE-2021-26306 | — | 0.00 | — | 0.01 | Jan 29, 2021 | An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It has unsound transmute calls within as_string() methods. |
- CVE-2021-23341Feb 18, 2021risk 0.00cvss —epss 0.03
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
- CVE-2020-28496Feb 18, 2021risk 0.00cvss —epss 0.03
This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time =…
- CVE-2021-21317Feb 16, 2021risk 0.00cvss —epss 0.03
uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows…
- CVE-2020-28500Feb 15, 2021risk 0.00cvss —epss 0.07
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
- CVE-2020-13949Feb 12, 2021risk 0.00cvss —epss 0.07
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
- CVE-2021-27191Feb 11, 2021risk 0.00cvss —epss 0.02
The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion.
- CVE-2021-22880Feb 11, 2021risk 0.00cvss —epss 0.04
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too…
- CVE-2021-21306Feb 8, 2021risk 0.00cvss —epss 0.02
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked.…
- CVE-2021-21240Feb 8, 2021risk 0.00cvss —epss 0.04
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2…
- CVE-2020-28449Feb 4, 2021risk 0.00cvss —epss 0.02
This affects all versions of package decal. The vulnerability is in the set function.
- CVE-2020-28450Feb 4, 2021risk 0.00cvss —epss 0.02
This affects all versions of package decal. The vulnerability is in the extend function.
- CVE-2021-21294Feb 2, 2021risk 0.00cvss —epss 0.02
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections…
- CVE-2021-21293Feb 2, 2021risk 0.00cvss —epss 0.02
blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections…
- CVE-2021-25912Feb 2, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.
- CVE-2021-21285Feb 2, 2021risk 0.00cvss —epss 0.03
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
- CVE-2020-28495Feb 2, 2021risk 0.00cvss —epss 0.04
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the…
- CVE-2020-28493Feb 1, 2021risk 0.00cvss —epss 0.04
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be…
- CVE-2021-23329Jan 31, 2021risk 0.00cvss —epss 0.02
The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.
- CVE-2021-21254Jan 29, 2021risk 0.00cvss —epss 0.02
CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition…
- CVE-2021-26306Jan 29, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It has unsound transmute calls within as_string() methods.