VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 39 of 49
  • CVE-2024-28949Apr 5, 2024
    risk 0.00cvss epss 0.01

    Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.

  • CVE-2024-29025Mar 25, 2024
    risk 0.00cvss epss 0.01

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so,…

  • CVE-2024-28053Mar 15, 2024
    risk 0.00cvss epss 0.01

    Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

  • CVE-2024-28102Mar 6, 2024
    risk 0.00cvss epss 0.01

    JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot…

  • CVE-2024-1953Feb 29, 2024
    risk 0.00cvss epss 0.01

    Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP…

  • CVE-2024-22201Feb 26, 2024
    risk 0.00cvss epss 0.01

    Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually…

  • CVE-2024-26265Feb 20, 2024
    risk 0.00cvss epss 0.01

    The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can…

  • CVE-2024-25978Feb 19, 2024
    risk 0.00cvss epss 0.01

    Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

  • CVE-2024-26308Feb 19, 2024
    risk 0.00cvss epss 0.01

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

  • CVE-2023-52428Feb 11, 2024
    risk 0.00cvss epss 0.01

    In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

  • CVE-2024-25143Feb 7, 2024
    risk 0.00cvss epss 0.01

    The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which…

  • CVE-2024-24680Feb 6, 2024
    risk 0.00cvss epss 0.02

    An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

  • CVE-2024-24752Feb 1, 2024
    risk 0.00cvss epss 0.01

    Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is…

  • CVE-2024-23820Jan 26, 2024
    risk 0.00cvss epss 0.01

    OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those…

  • CVE-2023-6476Jan 9, 2024
    risk 0.00cvss epss 0.01

    A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.

  • CVE-2024-21634Jan 3, 2024
    risk 0.00cvss epss 0.01

    Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into…

  • CVE-2023-46738Jan 3, 2024
    risk 0.00cvss epss 0.01

    CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from…

  • CVE-2023-6563Dec 14, 2023
    risk 0.00cvss epss 0.01

    An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open…

  • CVE-2023-6337Dec 8, 2023
    risk 0.00cvss epss 0.01

    HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the…

  • CVE-2023-47633Dec 4, 2023
    risk 0.00cvss epss 0.01

    Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been…