CWE-770
Allocation of Resources Without Limits or Throttling
Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528
CVEs mapped to this weakness (964)
page 21 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-21716 | Hig | 0.42 | 7.5 | 0.04 | Mar 3, 2022 | Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available… | ||
| CVE-2022-23837 | Hig | 0.42 | 7.5 | 0.05 | Jan 21, 2022 | In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users. | ||
| CVE-2022-23435 | — | Hig | 0.42 | 7.5 | 0.01 | Jan 19, 2022 | decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service. | |
| CVE-2021-41167 | Hig | 0.42 | 7.5 | 0.02 | Oct 20, 2021 | modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,… | ||
| CVE-2021-29063 | — | Hig | 0.42 | 7.5 | 0.04 | Jun 21, 2021 | A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called. | |
| CVE-2021-29061 | — | Hig | 0.42 | 7.5 | 0.02 | Jun 21, 2021 | A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Vfsjfilechooser2 version 0.2.9 and below which occurs when the application attempts to validate crafted URIs. | |
| CVE-2021-29059 | — | Hig | 0.42 | 7.5 | 0.03 | Jun 21, 2021 | A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string. | |
| CVE-2021-29430 | Hig | 0.42 | 7.5 | 0.02 | Apr 15, 2021 | Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response… | ||
| CVE-2020-28491 | — | Hig | 0.42 | 7.5 | 0.03 | Feb 18, 2021 | This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception. | |
| CVE-2021-21294 | — | Hig | 0.42 | 7.5 | 0.02 | Feb 2, 2021 | Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections… | |
| CVE-2021-21293 | — | Hig | 0.42 | 7.5 | 0.02 | Feb 2, 2021 | blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections… | |
| CVE-2020-10758 | Hig | 0.42 | 7.5 | 0.02 | Sep 16, 2020 | A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | ||
| CVE-2020-8203 | — | Hig | 0.42 | 7.4 | 0.05 | Jul 15, 2020 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | |
| CVE-2020-13250 | — | Hig | 0.42 | 7.5 | 0.03 | Jun 11, 2020 | HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4. | |
| CVE-2019-11939 | Hig | 0.42 | 7.5 | 0.02 | Mar 18, 2020 | Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This… | ||
| CVE-2020-7226 | — | Hig | 0.42 | 7.5 | 0.03 | Jan 24, 2020 | CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of… | |
| CVE-2019-16865 | — | Hig | 0.42 | 7.5 | 0.03 | Oct 4, 2019 | An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image. | |
| CVE-2019-5419 | — | Hig | 0.42 | 7.5 | 0.09 | Mar 27, 2019 | There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive. | |
| CVE-2019-6975 | Hig | 0.42 | 7.5 | 0.05 | Feb 11, 2019 | Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. | ||
| CVE-2018-15404 | Med | 0.42 | 6.5 | 0.01 | Oct 5, 2018 | A vulnerability in the web interface of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient… |
- risk 0.42cvss 7.5epss 0.04
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available…
- risk 0.42cvss 7.5epss 0.05
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
- risk 0.42cvss 7.5epss 0.01
decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service.
- risk 0.42cvss 7.5epss 0.02
modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,…
- risk 0.42cvss 7.5epss 0.04
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called.
- risk 0.42cvss 7.5epss 0.02
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Vfsjfilechooser2 version 0.2.9 and below which occurs when the application attempts to validate crafted URIs.
- risk 0.42cvss 7.5epss 0.03
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
- risk 0.42cvss 7.5epss 0.02
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response…
- risk 0.42cvss 7.5epss 0.03
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
- risk 0.42cvss 7.5epss 0.02
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections…
- risk 0.42cvss 7.5epss 0.02
blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections…
- risk 0.42cvss 7.5epss 0.02
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
- risk 0.42cvss 7.4epss 0.05
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
- risk 0.42cvss 7.5epss 0.03
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.
- risk 0.42cvss 7.5epss 0.02
Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This…
- risk 0.42cvss 7.5epss 0.03
CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of…
- risk 0.42cvss 7.5epss 0.03
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
- risk 0.42cvss 7.5epss 0.09
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
- risk 0.42cvss 7.5epss 0.05
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
- risk 0.42cvss 6.5epss 0.01
A vulnerability in the web interface of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient…