VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 20 of 49
  • CVE-2023-27901HigMar 10, 2023
    risk 0.42cvss 7.5epss 0.01

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of…

  • CVE-2023-27900HigMar 10, 2023
    risk 0.42cvss 7.5epss 0.01

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of…

  • CVE-2023-25656HigFeb 20, 2023
    risk 0.42cvss 7.5epss 0.00

    notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus…

  • CVE-2023-25578HigFeb 15, 2023
    risk 0.42cvss 7.5epss 0.01

    Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited…

  • CVE-2023-25171HigFeb 15, 2023
    risk 0.42cvss 7.5epss 0.01

    Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email…

  • CVE-2023-25577HigFeb 14, 2023
    risk 0.42cvss 7.5epss 0.01

    Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more…

  • CVE-2023-25576HigFeb 14, 2023
    risk 0.42cvss 7.5epss 0.01

    @fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body…

  • CVE-2020-36568HigDec 27, 2022
    risk 0.42cvss 7.5epss 0.01

    Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation.

  • CVE-2022-3371HigSep 30, 2022
    risk 0.42cvss 7.5epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3.

  • CVE-2022-3364HigSep 29, 2022
    risk 0.42cvss 7.5epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3.

  • CVE-2022-3298HigSep 26, 2022
    risk 0.42cvss 7.5epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.4.8.

  • CVE-2022-3295HigSep 26, 2022
    risk 0.42cvss 7.5epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.4.8.

  • CVE-2022-34917HigSep 20, 2022
    risk 0.42cvss 7.5epss 0.01

    A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial…

  • CVE-2022-3212HigSep 14, 2022
    risk 0.42cvss 7.5epss 0.01

    <bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to…

  • CVE-2022-0084HigAug 26, 2022
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or…

  • CVE-2022-25304HigAug 23, 2022
    risk 0.42cvss 7.5epss 0.01

    All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by…

  • CVE-2022-25231HigAug 23, 2022
    risk 0.42cvss 7.5epss 0.01

    The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.

  • CVE-2022-35922HigAug 1, 2022
    risk 0.42cvss 7.5epss 0.01

    Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would…

  • CVE-2022-31016MedJun 25, 2022
    risk 0.42cvss 6.5epss 0.01

    Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must…

  • CVE-2022-1708HigJun 7, 2022
    risk 0.42cvss 7.5epss 0.03

    A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and…