VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 19 of 49
  • CVE-2024-0241HigJan 4, 2024
    risk 0.42cvss 7.5epss 0.01

    encoded_id-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sending an HTTP request with an extremely long "id" parameter.

  • CVE-2023-6337HigDec 8, 2023
    risk 0.42cvss 7.5epss 0.01

    HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the…

  • CVE-2023-47633HigDec 4, 2023
    risk 0.42cvss 7.5epss 0.01

    Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been…

  • CVE-2023-47108HigNov 10, 2023
    risk 0.42cvss 7.5epss 0.02

    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound…

  • CVE-2023-44271HigNov 3, 2023
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw…

  • CVE-2023-45142HigOct 12, 2023
    risk 0.42cvss 7.5epss 0.01

    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious…

  • CVE-2023-43642HigSep 25, 2023
    risk 0.42cvss 7.5epss 0.01

    snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk…

  • CVE-2023-42457HigSep 21, 2023
    risk 0.42cvss 7.5epss 0.01

    plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the…

  • CVE-2021-29057MedAug 11, 2023
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3, allows attackers to cause a denial of service.

  • CVE-2023-39533HigAug 8, 2023
    risk 0.42cvss 7.5epss 0.01

    go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This…

  • CVE-2023-29408MedAug 2, 2023
    risk 0.42cvss 6.5epss 0.01

    The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming…

  • CVE-2023-36814HigJul 3, 2023
    risk 0.42cvss 7.5epss 0.01

    Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on `PortalFolder` objects can lead to an unauthenticated denial of service and crash situation. The…

  • CVE-2023-34455HigJun 15, 2023
    risk 0.42cvss 7.5epss 0.02

    snappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an unrecoverable fatal error can occur in versions prior to 1.1.10.1. The code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more…

  • CVE-2023-2666HigMay 12, 2023
    risk 0.42cvss 7.5epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository froxlor/froxlor prior to 2.0.16.

  • CVE-2023-30551HigMay 8, 2023
    risk 0.42cvss 7.5epss 0.01

    Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can…

  • CVE-2023-26964HigApr 11, 2023
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

  • CVE-2023-28867HigMar 27, 2023
    risk 0.42cvss 7.5epss 0.01

    In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.

  • CVE-2023-28119HigMar 22, 2023
    risk 0.42cvss 7.5epss 0.01

    The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing…

  • CVE-2021-46877HigMar 18, 2023
    risk 0.42cvss 7.5epss 0.01

    jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

  • CVE-2023-28104HigMar 16, 2023
    risk 0.42cvss 7.5epss 0.01

    `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly…