VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 28 of 49
  • CVE-2023-34462MedJun 22, 2023
    risk 0.35cvss 6.5epss 0.02

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does…

  • CVE-2023-2253MedJun 6, 2023
    risk 0.35cvss 6.5epss 0.01

    A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the…

  • CVE-2023-20863MedApr 13, 2023
    risk 0.35cvss 6.5epss 0.01

    In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

  • CVE-2022-4723MedDec 27, 2022
    risk 0.35cvss 6.5epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5.

  • CVE-2022-41717MedDec 8, 2022
    risk 0.35cvss 5.3epss 0.06

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the…

  • CVE-2022-43686MedNov 14, 2022
    risk 0.35cvss 6.5epss 0.01

    In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).

  • CVE-2022-36055MedSep 1, 2022
    risk 0.35cvss 6.5epss 0.01

    Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns…

  • CVE-2022-22971MedMay 12, 2022
    risk 0.35cvss 6.5epss 0.03

    In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

  • CVE-2022-25844MedMay 1, 2022
    risk 0.35cvss 5.3epss 0.05

    The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This…

  • CVE-2022-21294MedJan 19, 2022
    risk 0.35cvss 5.3epss 0.03

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily…

  • CVE-2021-32699MedJun 22, 2021
    risk 0.35cvss 6.5epss 0.00

    Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more…

  • CVE-2021-29511MedMay 12, 2021
    risk 0.35cvss 6.5epss 0.01

    evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an…

  • CVE-2021-20185MedJan 28, 2021
    risk 0.35cvss 5.3epss 0.01

    It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.

  • CVE-2021-21607MedJan 13, 2021
    risk 0.35cvss 6.5epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

  • CVE-2020-12697MedMay 13, 2020
    risk 0.35cvss 5.3epss 0.01

    The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries.

  • CVE-2019-16770MedDec 5, 2019
    risk 0.35cvss 5.3epss 0.02

    In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait…

  • CVE-2005-4650MedDec 31, 2005
    risk 0.35cvss 5.3epss 0.02

    Joomla! 1.03 does not restrict the number of "Search" Mambots, which allows remote attackers to cause a denial of service (resource consumption) via a large number of Search Mambots.

  • CVE-2026-50560MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification…

  • CVE-2026-49347MedJun 12, 2026
    risk 0.34cvss epss 0.00

    Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without…

  • CVE-2026-45031MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.01

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other…