CWE-770
Allocation of Resources Without Limits or Throttling
Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528
CVEs mapped to this weakness (964)
page 44 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-36055 | 0.00 | — | 0.01 | Sep 1, 2022 | Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns… | |||
| CVE-2022-0084 | 0.00 | — | 0.01 | Aug 26, 2022 | A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or… | |||
| CVE-2022-25888 | — | 0.00 | — | 0.01 | Aug 23, 2022 | The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge… | ||
| CVE-2022-25231 | 0.00 | — | 0.01 | Aug 23, 2022 | The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit. | |||
| CVE-2022-25304 | — | 0.00 | — | 0.01 | Aug 23, 2022 | All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by… | ||
| CVE-2022-36124 | 0.00 | — | 0.01 | Aug 9, 2022 | It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version… | |||
| CVE-2022-35922 | 0.00 | — | 0.01 | Aug 1, 2022 | Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would… | |||
| CVE-2022-35915 | 0.00 | — | 0.01 | Aug 1, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue… | |||
| CVE-2022-31080 | 0.00 | — | 0.01 | Jul 11, 2022 | KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, a large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of… | |||
| CVE-2022-31079 | 0.00 | — | 0.01 | Jul 11, 2022 | KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a… | |||
| CVE-2022-31078 | 0.00 | — | 0.01 | Jul 11, 2022 | KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the CloudCore Router does not impose a limit on the size of responses to requests made by the REST handler.… | |||
| CVE-2022-31075 | 0.00 | — | 0.01 | Jul 11, 2022 | KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP… | |||
| CVE-2022-31016 | 0.00 | — | 0.01 | Jun 25, 2022 | Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must… | |||
| CVE-2022-22979 | 0.00 | — | 0.01 | Jun 21, 2022 | In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework. | |||
| CVE-2022-1708 | 0.00 | — | 0.03 | Jun 7, 2022 | A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and… | |||
| CVE-2022-25169 | 0.00 | — | 0.02 | May 16, 2022 | The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. | |||
| CVE-2022-22971 | — | 0.00 | — | 0.03 | May 12, 2022 | In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. | ||
| CVE-2022-22970 | — | 0.00 | — | 0.02 | May 12, 2022 | In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. | ||
| CVE-2022-25844 | 0.00 | — | 0.05 | May 1, 2022 | The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This… | |||
| CVE-2022-1337 | 0.00 | — | 0.01 | Apr 13, 2022 | The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files. |
- CVE-2022-36055Sep 1, 2022risk 0.00cvss —epss 0.01
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns…
- CVE-2022-0084Aug 26, 2022risk 0.00cvss —epss 0.01
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or…
- CVE-2022-25888Aug 23, 2022risk 0.00cvss —epss 0.01
The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge…
- CVE-2022-25231Aug 23, 2022risk 0.00cvss —epss 0.01
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.
- CVE-2022-25304Aug 23, 2022risk 0.00cvss —epss 0.01
All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by…
- CVE-2022-36124Aug 9, 2022risk 0.00cvss —epss 0.01
It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version…
- CVE-2022-35922Aug 1, 2022risk 0.00cvss —epss 0.01
Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would…
- CVE-2022-35915Aug 1, 2022risk 0.00cvss —epss 0.01
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue…
- CVE-2022-31080Jul 11, 2022risk 0.00cvss —epss 0.01
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, a large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of…
- CVE-2022-31079Jul 11, 2022risk 0.00cvss —epss 0.01
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a…
- CVE-2022-31078Jul 11, 2022risk 0.00cvss —epss 0.01
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the CloudCore Router does not impose a limit on the size of responses to requests made by the REST handler.…
- CVE-2022-31075Jul 11, 2022risk 0.00cvss —epss 0.01
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP…
- CVE-2022-31016Jun 25, 2022risk 0.00cvss —epss 0.01
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must…
- CVE-2022-22979Jun 21, 2022risk 0.00cvss —epss 0.01
In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework.
- CVE-2022-1708Jun 7, 2022risk 0.00cvss —epss 0.03
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and…
- CVE-2022-25169May 16, 2022risk 0.00cvss —epss 0.02
The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
- CVE-2022-22971May 12, 2022risk 0.00cvss —epss 0.03
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
- CVE-2022-22970May 12, 2022risk 0.00cvss —epss 0.02
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
- CVE-2022-25844May 1, 2022risk 0.00cvss —epss 0.05
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This…
- CVE-2022-1337Apr 13, 2022risk 0.00cvss —epss 0.01
The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.