VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 21 of 49
  • CVE-2022-21716HigMar 3, 2022
    risk 0.42cvss 7.5epss 0.04

    Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available…

  • CVE-2022-23837HigJan 21, 2022
    risk 0.42cvss 7.5epss 0.05

    In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

  • CVE-2022-23435HigJan 19, 2022
    risk 0.42cvss 7.5epss 0.01

    decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service.

  • CVE-2021-41167HigOct 20, 2021
    risk 0.42cvss 7.5epss 0.02

    modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,…

  • CVE-2021-29063HigJun 21, 2021
    risk 0.42cvss 7.5epss 0.04

    A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called.

  • CVE-2021-29061HigJun 21, 2021
    risk 0.42cvss 7.5epss 0.02

    A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Vfsjfilechooser2 version 0.2.9 and below which occurs when the application attempts to validate crafted URIs.

  • CVE-2021-29059HigJun 21, 2021
    risk 0.42cvss 7.5epss 0.03

    A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

  • CVE-2021-29430HigApr 15, 2021
    risk 0.42cvss 7.5epss 0.02

    Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response…

  • CVE-2020-28491HigFeb 18, 2021
    risk 0.42cvss 7.5epss 0.03

    This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

  • CVE-2021-21294HigFeb 2, 2021
    risk 0.42cvss 7.5epss 0.02

    Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections…

  • CVE-2021-21293HigFeb 2, 2021
    risk 0.42cvss 7.5epss 0.02

    blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections…

  • CVE-2020-10758HigSep 16, 2020
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

  • CVE-2020-8203HigJul 15, 2020
    risk 0.42cvss 7.4epss 0.05

    Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

  • CVE-2020-13250HigJun 11, 2020
    risk 0.42cvss 7.5epss 0.03

    HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.

  • CVE-2019-11939HigMar 18, 2020
    risk 0.42cvss 7.5epss 0.02

    Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This…

  • CVE-2020-7226HigJan 24, 2020
    risk 0.42cvss 7.5epss 0.03

    CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of…

  • CVE-2019-16865HigOct 4, 2019
    risk 0.42cvss 7.5epss 0.03

    An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

  • CVE-2019-5419HigMar 27, 2019
    risk 0.42cvss 7.5epss 0.09

    There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

  • CVE-2019-6975HigFeb 11, 2019
    risk 0.42cvss 7.5epss 0.05

    Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.

  • CVE-2018-15404MedOct 5, 2018
    risk 0.42cvss 6.5epss 0.01

    A vulnerability in the web interface of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient…