VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 42 of 49
  • CVE-2023-26964Apr 11, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

  • CVE-2023-28837Apr 3, 2023
    risk 0.00cvss epss 0.01

    Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional…

  • CVE-2023-28867Mar 27, 2023
    risk 0.00cvss epss 0.01

    In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.

  • CVE-2023-28119Mar 22, 2023
    risk 0.00cvss epss 0.01

    The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing…

  • CVE-2021-46877Mar 18, 2023
    risk 0.00cvss epss 0.01

    jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

  • CVE-2023-28104Mar 16, 2023
    risk 0.00cvss epss 0.01

    `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly…

  • CVE-2023-27530Mar 10, 2023
    risk 0.00cvss epss 0.02

    A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.

  • CVE-2023-27901Mar 8, 2023
    risk 0.00cvss epss 0.01

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of…

  • CVE-2023-27900Mar 8, 2023
    risk 0.00cvss epss 0.01

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of…

  • CVE-2022-41727Feb 28, 2023
    risk 0.00cvss epss 0.00

    An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

  • CVE-2023-24998Feb 20, 2023
    risk 0.00cvss epss 0.47

    Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new…

  • CVE-2023-25656Feb 20, 2023
    risk 0.00cvss epss 0.00

    notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus…

  • CVE-2023-25153Feb 16, 2023
    risk 0.00cvss epss 0.00

    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of…

  • CVE-2023-25578Feb 15, 2023
    risk 0.00cvss epss 0.01

    Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited…

  • CVE-2023-25171Feb 15, 2023
    risk 0.00cvss epss 0.01

    Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email…

  • CVE-2023-25577Feb 14, 2023
    risk 0.00cvss epss 0.01

    Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more…

  • CVE-2023-25576Feb 14, 2023
    risk 0.00cvss epss 0.01

    @fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body…

  • CVE-2023-23969Feb 1, 2023
    risk 0.00cvss epss 0.47

    In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language…

  • CVE-2020-36568Dec 27, 2022
    risk 0.00cvss epss 0.01

    Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation.

  • CVE-2022-4723Dec 23, 2022
    risk 0.00cvss epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5.