CWE-770
Allocation of Resources Without Limits or Throttling
Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528
CVEs mapped to this weakness (964)
page 28 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-34462 | Med | 0.35 | 6.5 | 0.02 | Jun 22, 2023 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does… | ||
| CVE-2023-2253 | Med | 0.35 | 6.5 | 0.01 | Jun 6, 2023 | A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the… | ||
| CVE-2023-20863 | — | Med | 0.35 | 6.5 | 0.01 | Apr 13, 2023 | In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. | |
| CVE-2022-4723 | — | Med | 0.35 | 6.5 | 0.01 | Dec 27, 2022 | Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5. | |
| CVE-2022-41717 | — | Med | 0.35 | 5.3 | 0.06 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the… | |
| CVE-2022-43686 | — | Med | 0.35 | 6.5 | 0.01 | Nov 14, 2022 | In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). | |
| CVE-2022-36055 | Med | 0.35 | 6.5 | 0.01 | Sep 1, 2022 | Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns… | ||
| CVE-2022-22971 | — | Med | 0.35 | 6.5 | 0.03 | May 12, 2022 | In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. | |
| CVE-2022-25844 | Med | 0.35 | 5.3 | 0.05 | May 1, 2022 | The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This… | ||
| CVE-2022-21294 | Med | 0.35 | 5.3 | 0.03 | Jan 19, 2022 | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily… | ||
| CVE-2021-32699 | Med | 0.35 | 6.5 | 0.00 | Jun 22, 2021 | Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more… | ||
| CVE-2021-29511 | — | Med | 0.35 | 6.5 | 0.01 | May 12, 2021 | evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an… | |
| CVE-2021-20185 | — | Med | 0.35 | 5.3 | 0.01 | Jan 28, 2021 | It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. | |
| CVE-2021-21607 | Med | 0.35 | 6.5 | 0.01 | Jan 13, 2021 | Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors. | ||
| CVE-2020-12697 | — | Med | 0.35 | 5.3 | 0.01 | May 13, 2020 | The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries. | |
| CVE-2019-16770 | — | Med | 0.35 | 5.3 | 0.02 | Dec 5, 2019 | In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait… | |
| CVE-2005-4650 | Med | 0.35 | 5.3 | 0.02 | Dec 31, 2005 | Joomla! 1.03 does not restrict the number of "Search" Mambots, which allows remote attackers to cause a denial of service (resource consumption) via a large number of Search Mambots. | ||
| CVE-2026-50560 | Med | 0.34 | 5.3 | 0.00 | Jun 12, 2026 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification… | ||
| CVE-2026-49347 | Med | 0.34 | — | 0.00 | Jun 12, 2026 | Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without… | ||
| CVE-2026-45031 | Med | 0.34 | 5.3 | 0.01 | Jun 10, 2026 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other… |
- risk 0.35cvss 6.5epss 0.02
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does…
- risk 0.35cvss 6.5epss 0.01
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the…
- risk 0.35cvss 6.5epss 0.01
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
- risk 0.35cvss 6.5epss 0.01
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5.
- risk 0.35cvss 5.3epss 0.06
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the…
- risk 0.35cvss 6.5epss 0.01
In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).
- risk 0.35cvss 6.5epss 0.01
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns…
- risk 0.35cvss 6.5epss 0.03
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
- risk 0.35cvss 5.3epss 0.05
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This…
- risk 0.35cvss 5.3epss 0.03
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily…
- risk 0.35cvss 6.5epss 0.00
Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more…
- risk 0.35cvss 6.5epss 0.01
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an…
- risk 0.35cvss 5.3epss 0.01
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.
- risk 0.35cvss 6.5epss 0.01
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.
- risk 0.35cvss 5.3epss 0.01
The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries.
- risk 0.35cvss 5.3epss 0.02
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait…
- risk 0.35cvss 5.3epss 0.02
Joomla! 1.03 does not restrict the number of "Search" Mambots, which allows remote attackers to cause a denial of service (resource consumption) via a large number of Search Mambots.
- risk 0.34cvss 5.3epss 0.00
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification…
- risk 0.34cvss —epss 0.00
Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without…
- risk 0.34cvss 5.3epss 0.01
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other…