CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 87 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-8552 | 0.00 | — | 0.02 | Mar 27, 2020 | The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. | |||
| CVE-2020-1950 | 0.00 | — | 0.03 | Mar 23, 2020 | A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23. | |||
| CVE-2020-8136 | — | 0.00 | — | 0.01 | Mar 20, 2020 | Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request. | ||
| CVE-2020-7212 | — | 0.00 | — | 0.03 | Mar 6, 2020 | The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not… | ||
| CVE-2019-10798 | — | 0.00 | — | 0.01 | Feb 24, 2020 | rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects resutling in Prototype Pollution. The rdf.Graph.prototype.add method could be tricked into adding or modifying properties of Object.prototype. | ||
| CVE-2015-4411 | — | 0.00 | — | 0.06 | Feb 20, 2020 | The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410. | ||
| CVE-2020-8123 | — | 0.00 | — | 0.01 | Feb 4, 2020 | A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application. | ||
| CVE-2020-5236 | — | 0.00 | — | 0.03 | Feb 4, 2020 | Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use… | ||
| CVE-2020-7219 | — | 0.00 | — | 0.02 | Jan 31, 2020 | HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. | ||
| CVE-2020-7218 | — | 0.00 | — | 0.01 | Jan 31, 2020 | HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3. | ||
| CVE-2019-14888 | 0.00 | — | 0.02 | Jan 23, 2020 | A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. | |||
| CVE-2020-0602 | 0.00 | — | 0.08 | Jan 14, 2020 | A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'. | |||
| CVE-2020-6173 | — | 0.00 | — | 0.01 | Jan 14, 2020 | TUF (aka The Update Framework) 0.7.2 through 0.12.1 allows Uncontrolled Resource Consumption. | ||
| CVE-2014-5012 | — | 0.00 | — | 0.01 | Jan 10, 2020 | DOMPDF before 0.6.2 allows denial of service. | ||
| CVE-2014-3211 | — | 0.00 | — | 0.01 | Jan 9, 2020 | Publify before 8.0.1 is vulnerable to a Denial of Service attack | ||
| CVE-2019-10775 | — | 0.00 | — | 0.01 | Jan 2, 2020 | ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application. | ||
| CVE-2019-16555 | 0.00 | — | 0.01 | Dec 17, 2019 | A user-supplied regular expression in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier was processed in a way that wasn't interruptible, allowing attackers to have Jenkins evaluate a regular expression without the ability to interrupt this process. | |||
| CVE-2019-14867 | — | 0.00 | — | 0.06 | Nov 27, 2019 | A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker… | ||
| CVE-2019-16764 | 0.00 | — | 0.01 | Nov 25, 2019 | The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is fetched from the user provided params, and `String.to_atom/1` is used to convert the binary value to an atom so it can be used to… | |||
| CVE-2019-11287 | 0.00 | — | 0.05 | Nov 22, 2019 | Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason"… |
- CVE-2020-8552Mar 27, 2020risk 0.00cvss —epss 0.02
The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.
- CVE-2020-1950Mar 23, 2020risk 0.00cvss —epss 0.03
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.
- CVE-2020-8136Mar 20, 2020risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.
- CVE-2020-7212Mar 6, 2020risk 0.00cvss —epss 0.03
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not…
- CVE-2019-10798Feb 24, 2020risk 0.00cvss —epss 0.01
rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects resutling in Prototype Pollution. The rdf.Graph.prototype.add method could be tricked into adding or modifying properties of Object.prototype.
- CVE-2015-4411Feb 20, 2020risk 0.00cvss —epss 0.06
The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410.
- CVE-2020-8123Feb 4, 2020risk 0.00cvss —epss 0.01
A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
- CVE-2020-5236Feb 4, 2020risk 0.00cvss —epss 0.03
Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use…
- CVE-2020-7219Jan 31, 2020risk 0.00cvss —epss 0.02
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
- CVE-2020-7218Jan 31, 2020risk 0.00cvss —epss 0.01
HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3.
- CVE-2019-14888Jan 23, 2020risk 0.00cvss —epss 0.02
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.
- CVE-2020-0602Jan 14, 2020risk 0.00cvss —epss 0.08
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.
- CVE-2020-6173Jan 14, 2020risk 0.00cvss —epss 0.01
TUF (aka The Update Framework) 0.7.2 through 0.12.1 allows Uncontrolled Resource Consumption.
- CVE-2014-5012Jan 10, 2020risk 0.00cvss —epss 0.01
DOMPDF before 0.6.2 allows denial of service.
- CVE-2014-3211Jan 9, 2020risk 0.00cvss —epss 0.01
Publify before 8.0.1 is vulnerable to a Denial of Service attack
- CVE-2019-10775Jan 2, 2020risk 0.00cvss —epss 0.01
ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.
- CVE-2019-16555Dec 17, 2019risk 0.00cvss —epss 0.01
A user-supplied regular expression in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier was processed in a way that wasn't interruptible, allowing attackers to have Jenkins evaluate a regular expression without the ability to interrupt this process.
- CVE-2019-14867Nov 27, 2019risk 0.00cvss —epss 0.06
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker…
- CVE-2019-16764Nov 25, 2019risk 0.00cvss —epss 0.01
The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is fetched from the user provided params, and `String.to_atom/1` is used to convert the binary value to an atom so it can be used to…
- CVE-2019-11287Nov 22, 2019risk 0.00cvss —epss 0.05
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason"…