CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 85 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-26264 | 0.00 | — | 0.02 | Dec 11, 2020 | Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns… | |||
| CVE-2020-7793 | — | 0.00 | — | 0.04 | Dec 11, 2020 | The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). | ||
| CVE-2020-26257 | 0.00 | — | 0.02 | Dec 9, 2020 | Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a… | |||
| CVE-2020-29651 | — | 0.00 | — | 0.05 | Dec 9, 2020 | A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. | ||
| CVE-2020-26256 | — | 0.00 | — | 0.02 | Dec 8, 2020 | Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched… | ||
| CVE-2020-25630 | — | 0.00 | — | 0.01 | Dec 8, 2020 | A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and… | ||
| CVE-2020-27813 | — | 0.00 | — | 0.02 | Dec 2, 2020 | An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections. | ||
| CVE-2020-7779 | 0.00 | — | 0.02 | Nov 26, 2020 | All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!. | |||
| CVE-2020-26242 | 0.00 | — | 0.01 | Nov 25, 2020 | Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18. | |||
| CVE-2020-7765 | — | 0.00 | — | 0.01 | Nov 16, 2020 | This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. | ||
| CVE-2020-7767 | — | 0.00 | — | 0.02 | Nov 11, 2020 | All versions of package express-validators are vulnerable to Regular Expression Denial of Service (ReDoS) when validating specifically-crafted invalid urls. | ||
| CVE-2020-7766 | — | 0.00 | — | 0.02 | Nov 10, 2020 | This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does… | ||
| CVE-2020-7761 | — | 0.00 | — | 0.02 | Nov 5, 2020 | This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails. | ||
| CVE-2020-25201 | — | 0.00 | — | 0.03 | Nov 4, 2020 | HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5. | ||
| CVE-2020-7760 | 0.00 | — | 0.05 | Oct 30, 2020 | This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.j… | |||
| CVE-2020-25689 | — | 0.00 | — | 0.01 | Oct 30, 2020 | A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out… | ||
| CVE-2020-7755 | — | 0.00 | — | 0.02 | Oct 27, 2020 | All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values. | ||
| CVE-2020-7754 | — | 0.00 | — | 0.03 | Oct 27, 2020 | This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. | ||
| CVE-2020-7753 | — | 0.00 | — | 0.04 | Oct 27, 2020 | All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim(). | ||
| CVE-2019-20922 | — | 0.00 | — | 0.04 | Sep 30, 2020 | Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources. |
- CVE-2020-26264Dec 11, 2020risk 0.00cvss —epss 0.02
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns…
- CVE-2020-7793Dec 11, 2020risk 0.00cvss —epss 0.04
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
- CVE-2020-26257Dec 9, 2020risk 0.00cvss —epss 0.02
Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a…
- CVE-2020-29651Dec 9, 2020risk 0.00cvss —epss 0.05
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
- CVE-2020-26256Dec 8, 2020risk 0.00cvss —epss 0.02
Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched…
- CVE-2020-25630Dec 8, 2020risk 0.00cvss —epss 0.01
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and…
- CVE-2020-27813Dec 2, 2020risk 0.00cvss —epss 0.02
An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections.
- CVE-2020-7779Nov 26, 2020risk 0.00cvss —epss 0.02
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!.
- CVE-2020-26242Nov 25, 2020risk 0.00cvss —epss 0.01
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
- CVE-2020-7765Nov 16, 2020risk 0.00cvss —epss 0.01
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
- CVE-2020-7767Nov 11, 2020risk 0.00cvss —epss 0.02
All versions of package express-validators are vulnerable to Regular Expression Denial of Service (ReDoS) when validating specifically-crafted invalid urls.
- CVE-2020-7766Nov 10, 2020risk 0.00cvss —epss 0.02
This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does…
- CVE-2020-7761Nov 5, 2020risk 0.00cvss —epss 0.02
This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.
- CVE-2020-25201Nov 4, 2020risk 0.00cvss —epss 0.03
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.
- CVE-2020-7760Oct 30, 2020risk 0.00cvss —epss 0.05
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.j…
- CVE-2020-25689Oct 30, 2020risk 0.00cvss —epss 0.01
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out…
- CVE-2020-7755Oct 27, 2020risk 0.00cvss —epss 0.02
All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values.
- CVE-2020-7754Oct 27, 2020risk 0.00cvss —epss 0.03
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
- CVE-2020-7753Oct 27, 2020risk 0.00cvss —epss 0.04
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
- CVE-2019-20922Sep 30, 2020risk 0.00cvss —epss 0.04
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.