VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 88 of 93
  • CVE-2019-17592Oct 14, 2019
    risk 0.00cvss epss 0.02

    The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.

  • CVE-2019-16892Sep 25, 2019
    risk 0.00cvss epss 0.02

    In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).

  • CVE-2019-15549Aug 26, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in the asn1_der crate before 0.6.2 for Rust. Attackers can trigger memory exhaustion by supplying a large value in a length field.

  • CVE-2019-10750Aug 23, 2019
    risk 0.00cvss epss 0.02

    deeply is vulnerable to Prototype Pollution in versions before 3.1.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using using a _proto_ payload.

  • CVE-2019-9512Aug 13, 2019
    risk 0.00cvss epss 0.83

    Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can…

  • CVE-2019-9514Aug 13, 2019
    risk 0.00cvss epss 0.83

    Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the…

  • CVE-2019-14232Aug 2, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic…

  • CVE-2019-14262Jul 25, 2019
    risk 0.00cvss epss 0.02

    MetadataExtractor 2.1.0 allows stack consumption.

  • CVE-2019-1010266Jul 17, 2019
    risk 0.00cvss epss 0.03

    lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The…

  • CVE-2019-1010083Jul 17, 2019
    risk 0.00cvss epss 0.02

    The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.

  • CVE-2019-12473Jul 10, 2019
    risk 0.00cvss epss 0.02

    Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

  • CVE-2019-12041May 13, 2019
    risk 0.00cvss epss 0.01

    lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section.

  • CVE-2018-12680Apr 2, 2019
    risk 0.00cvss epss 0.01

    The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and…

  • CVE-2018-12545Mar 27, 2019
    risk 0.00cvss epss 0.05

    In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory…

  • CVE-2019-5419Mar 27, 2019
    risk 0.00cvss epss 0.09

    There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

  • CVE-2018-17419Mar 7, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in setTA in scan_rr.go in the Miek Gieben DNS library before 1.0.10 for Go. A dns.ParseZone() parsing error causes a segmentation violation, leading to denial of service.

  • CVE-2018-16490Feb 1, 2019
    risk 0.00cvss epss 0.01

    A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.

  • CVE-2018-16486Feb 1, 2019
    risk 0.00cvss epss 0.01

    A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.

  • CVE-2018-16489Feb 1, 2019
    risk 0.00cvss epss 0.02

    A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.

  • CVE-2018-16491Feb 1, 2019
    risk 0.00cvss epss 0.02

    A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.