VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 22 of 49
  • CVE-2018-10908MedAug 9, 2018
    risk 0.42cvss 6.5epss 0.01

    It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service…

  • CVE-2016-9578HigJul 27, 2018
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling. An attacker able to connect to the SPICE server could send crafted messages which would cause the process to crash.

  • CVE-2018-3737HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

  • CVE-2018-3711HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload.

  • CVE-2018-1274HigApr 18, 2018
    risk 0.42cvss 7.5epss 0.02

    Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST…

  • CVE-2017-18258MedApr 8, 2018
    risk 0.42cvss 6.5epss 0.03

    The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

  • CVE-2017-18229MedMar 14, 2018
    risk 0.42cvss 6.5epss 0.02

    An issue was discovered in GraphicsMagick 1.3.26. An allocation failure vulnerability was found in the function ReadTIFFImage in coders/tiff.c, which allows attackers to cause a denial of service via a crafted file, because file size is not properly used to restrict scanline,…

  • CVE-2018-6869MedFeb 9, 2018
    risk 0.42cvss 6.5epss 0.03

    In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file.

  • CVE-2017-18028MedJan 12, 2018
    risk 0.42cvss 6.5epss 0.02

    In ImageMagick 7.0.7-1 Q16, a memory exhaustion vulnerability was found in the function ReadTIFFImage in coders/tiff.c, which allow remote attackers to cause a denial of service via a crafted file.

  • CVE-2018-0006MedJan 10, 2018
    risk 0.42cvss 6.5epss 0.01

    A high rate of VLAN authentication attempts sent from an adjacent host on the local broadcast domain can trigger high memory utilization by the BBE subscriber management daemon (bbe-smgd), and lead to a denial of service condition. The issue was caused by attempting to process…

  • CVE-2017-14992MedNov 1, 2017
    risk 0.42cvss 6.5epss 0.02

    Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.

  • CVE-2017-14531MedSep 18, 2017
    risk 0.42cvss 6.5epss 0.02

    ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in coders/sun.c.

  • CVE-2017-12693MedSep 1, 2017
    risk 0.42cvss 6.5epss 0.03

    The ReadBMPImage function in coders/bmp.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted BMP file.

  • CVE-2017-12692MedSep 1, 2017
    risk 0.42cvss 6.5epss 0.03

    The ReadVIFFImage function in coders/viff.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted VIFF file.

  • CVE-2017-12691MedSep 1, 2017
    risk 0.42cvss 6.5epss 0.02

    The ReadOneLayer function in coders/xcf.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.

  • CVE-2017-13763HigAug 30, 2017
    risk 0.42cvss 7.5epss 0.01

    ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited.

  • CVE-2017-12875MedAug 29, 2017
    risk 0.42cvss 6.5epss 0.02

    The WritePixelCachePixels function in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (CPU consumption) via a crafted file.

  • CVE-2017-13133MedAug 23, 2017
    risk 0.42cvss 6.5epss 0.02

    In ImageMagick 7.0.6-8, the load_level function in coders/xcf.c lacks offset validation, which allows attackers to cause a denial of service (load_tile memory exhaustion) via a crafted file.

  • CVE-2017-12643MedAug 7, 2017
    risk 0.42cvss 6.5epss 0.03

    ImageMagick 7.0.6-1 has a memory exhaustion vulnerability in ReadOneJNGImage in coders\png.c.

  • CVE-2017-12563MedAug 5, 2017
    risk 0.42cvss 6.5epss 0.02

    In ImageMagick 7.0.6-2, a memory exhaustion vulnerability was found in the function ReadPSDImage in coders/psd.c, which allows attackers to cause a denial of service.