CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 84 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-26307 | — | 0.00 | — | 0.00 | Jan 29, 2021 | An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It allows __cpuid_count() calls even if the processor does not support the CPUID instruction, which is unsound and causes a deterministic crash. | ||
| CVE-2021-20185 | — | 0.00 | — | 0.01 | Jan 28, 2021 | It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. | ||
| CVE-2021-21271 | 0.00 | — | 0.02 | Jan 26, 2021 | Tendermint Core is an open source Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines. Tendermint Core v0.34.0 introduced a new way of handling evidence of… | |||
| CVE-2020-28479 | — | 0.00 | — | 0.02 | Jan 19, 2021 | The package jointjs before 3.3.0 are vulnerable to Denial of Service (DoS) via the unsetByPath function. | ||
| CVE-2020-28480 | — | 0.00 | — | 0.01 | Jan 19, 2021 | The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype… | ||
| CVE-2020-28478 | — | 0.00 | — | 0.02 | Jan 19, 2021 | This affects the package gsap before 3.6.0. | ||
| CVE-2021-21252 | 0.00 | — | 0.04 | Jan 13, 2021 | The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of… | |||
| CVE-2020-36048 | — | 0.00 | — | 0.03 | Jan 7, 2021 | Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport. | ||
| CVE-2020-36049 | — | 0.00 | — | 0.03 | Jan 7, 2021 | socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used. | ||
| CVE-2021-21236 | 0.00 | — | 0.01 | Jan 6, 2021 | CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which… | |||
| CVE-2021-21235 | 0.00 | — | 0.02 | Jan 6, 2021 | kamadak-exif is an exif parsing library written in pure Rust. In kamadak-exif version 0.5.2, there is an infinite loop in parsing crafted PNG files. Specifically, reader::read_from_container can cause an infinite loop when a crafted PNG file is given. This is fixed in version… | |||
| CVE-2020-36066 | — | 0.00 | — | 0.02 | Jan 5, 2021 | GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON. | ||
| CVE-2020-7771 | — | 0.00 | — | 0.02 | Jan 4, 2021 | The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | ||
| CVE-2020-35875 | — | 0.00 | — | 0.01 | Dec 31, 2020 | An issue was discovered in the tokio-rustls crate before 0.13.1 for Rust. Excessive memory usage may occur when data arrives quickly. | ||
| CVE-2020-35896 | — | 0.00 | — | 0.01 | Dec 31, 2020 | An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack. | ||
| CVE-2020-35916 | — | 0.00 | — | 0.00 | Dec 31, 2020 | An issue was discovered in the image crate before 0.23.12 for Rust. A Mutable reference has immutable provenance. (In the case of LLVM, the IR may be always correct.) | ||
| CVE-2020-35857 | — | 0.00 | — | 0.01 | Dec 31, 2020 | An issue was discovered in the trust-dns-server crate before 0.18.1 for Rust. DNS MX and SRV null targets are mishandled, causing stack consumption. | ||
| CVE-2020-26289 | 0.00 | — | 0.02 | Dec 28, 2020 | date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2. | |||
| CVE-2020-35380 | — | 0.00 | — | 0.02 | Dec 15, 2020 | GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON. | ||
| CVE-2020-7791 | — | 0.00 | — | 0.03 | Dec 11, 2020 | This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs. |
- CVE-2021-26307Jan 29, 2021risk 0.00cvss —epss 0.00
An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It allows __cpuid_count() calls even if the processor does not support the CPUID instruction, which is unsound and causes a deterministic crash.
- CVE-2021-20185Jan 28, 2021risk 0.00cvss —epss 0.01
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.
- CVE-2021-21271Jan 26, 2021risk 0.00cvss —epss 0.02
Tendermint Core is an open source Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines. Tendermint Core v0.34.0 introduced a new way of handling evidence of…
- CVE-2020-28479Jan 19, 2021risk 0.00cvss —epss 0.02
The package jointjs before 3.3.0 are vulnerable to Denial of Service (DoS) via the unsetByPath function.
- CVE-2020-28480Jan 19, 2021risk 0.00cvss —epss 0.01
The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype…
- CVE-2020-28478Jan 19, 2021risk 0.00cvss —epss 0.02
This affects the package gsap before 3.6.0.
- CVE-2021-21252Jan 13, 2021risk 0.00cvss —epss 0.04
The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of…
- CVE-2020-36048Jan 7, 2021risk 0.00cvss —epss 0.03
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
- CVE-2020-36049Jan 7, 2021risk 0.00cvss —epss 0.03
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
- CVE-2021-21236Jan 6, 2021risk 0.00cvss —epss 0.01
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which…
- CVE-2021-21235Jan 6, 2021risk 0.00cvss —epss 0.02
kamadak-exif is an exif parsing library written in pure Rust. In kamadak-exif version 0.5.2, there is an infinite loop in parsing crafted PNG files. Specifically, reader::read_from_container can cause an infinite loop when a crafted PNG file is given. This is fixed in version…
- CVE-2020-36066Jan 5, 2021risk 0.00cvss —epss 0.02
GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.
- CVE-2020-7771Jan 4, 2021risk 0.00cvss —epss 0.02
The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.
- CVE-2020-35875Dec 31, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the tokio-rustls crate before 0.13.1 for Rust. Excessive memory usage may occur when data arrives quickly.
- CVE-2020-35896Dec 31, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack.
- CVE-2020-35916Dec 31, 2020risk 0.00cvss —epss 0.00
An issue was discovered in the image crate before 0.23.12 for Rust. A Mutable reference has immutable provenance. (In the case of LLVM, the IR may be always correct.)
- CVE-2020-35857Dec 31, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the trust-dns-server crate before 0.18.1 for Rust. DNS MX and SRV null targets are mishandled, causing stack consumption.
- CVE-2020-26289Dec 28, 2020risk 0.00cvss —epss 0.02
date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2.
- CVE-2020-35380Dec 15, 2020risk 0.00cvss —epss 0.02
GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON.
- CVE-2020-7791Dec 11, 2020risk 0.00cvss —epss 0.03
This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs.