CWE-770
Allocation of Resources Without Limits or Throttling
Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528
CVEs mapped to this weakness (964)
page 45 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-27819 | — | 0.00 | — | 0.01 | Apr 7, 2022 | SWHKD 1.1.5 allows unsafe parsing via the -c option. An information leak might occur but there is a simple denial of service (memory exhaustion) upon an attempt to parse a large or infinite file (such as a block or character device). | ||
| CVE-2022-22950 | 0.00 | — | 0.37 | Apr 1, 2022 | n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. | |||
| CVE-2022-21822 | — | 0.00 | — | 0.01 | Mar 17, 2022 | NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable. | ||
| CVE-2021-32476 | 0.00 | — | 0.01 | Mar 11, 2022 | A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||
| CVE-2022-26336 | — | 0.00 | — | 0.01 | Mar 4, 2022 | A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the… | ||
| CVE-2022-21716 | 0.00 | — | 0.04 | Mar 3, 2022 | Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available… | |||
| CVE-2022-24685 | 0.00 | — | 0.02 | Feb 28, 2022 | HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6. | |||
| CVE-2022-24614 | — | 0.00 | — | 0.01 | Feb 24, 2022 | When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use… | ||
| CVE-2022-21732 | 0.00 | — | 0.01 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num_threads` argument is only checked to not be negative, but there is no upper… | |||
| CVE-2022-24196 | — | 0.00 | — | 0.02 | Feb 1, 2022 | iText v7.1.17, up to (exluding)": 7.1.18 and 7.2.2 was discovered to contain an out-of-memory error via the component readStreamBytesRaw, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. | ||
| CVE-2021-39480 | — | 0.00 | — | 0.01 | Jan 21, 2022 | Bingrep v0.8.5 was discovered to contain a memory allocation failure which can cause a Denial of Service (DoS). | ||
| CVE-2022-23837 | 0.00 | — | 0.05 | Jan 21, 2022 | In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users. | |||
| CVE-2022-23435 | — | 0.00 | — | 0.01 | Jan 19, 2022 | decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service. | ||
| CVE-2021-43045 | 0.00 | — | 0.03 | Jan 6, 2022 | A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0… | |||
| CVE-2021-45699 | — | 0.00 | — | 0.01 | Dec 26, 2021 | An issue was discovered in the ckb crate before 0.40.0 for Rust. Remote attackers may be able to conduct a 51% attack against the Nervos CKB blockchain by triggering an inability to allocate memory for the misbehavior HashMap. | ||
| CVE-2021-3912 | 0.00 | — | 0.01 | Nov 11, 2021 | OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash). | |||
| CVE-2021-41167 | 0.00 | — | 0.02 | Oct 20, 2021 | modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,… | |||
| CVE-2021-41800 | — | 0.00 | — | 0.02 | Oct 11, 2021 | MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled. | ||
| CVE-2021-33320 | — | 0.00 | — | 0.01 | Aug 3, 2021 | The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site… | ||
| CVE-2021-35517 | 0.00 | — | 0.11 | Jul 13, 2021 | When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. |
- CVE-2022-27819Apr 7, 2022risk 0.00cvss —epss 0.01
SWHKD 1.1.5 allows unsafe parsing via the -c option. An information leak might occur but there is a simple denial of service (memory exhaustion) upon an attempt to parse a large or infinite file (such as a block or character device).
- CVE-2022-22950Apr 1, 2022risk 0.00cvss —epss 0.37
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
- CVE-2022-21822Mar 17, 2022risk 0.00cvss —epss 0.01
NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable.
- CVE-2021-32476Mar 11, 2022risk 0.00cvss —epss 0.01
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
- CVE-2022-26336Mar 4, 2022risk 0.00cvss —epss 0.01
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the…
- CVE-2022-21716Mar 3, 2022risk 0.00cvss —epss 0.04
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available…
- CVE-2022-24685Feb 28, 2022risk 0.00cvss —epss 0.02
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.
- CVE-2022-24614Feb 24, 2022risk 0.00cvss —epss 0.01
When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use…
- CVE-2022-21732Feb 3, 2022risk 0.00cvss —epss 0.01
Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num_threads` argument is only checked to not be negative, but there is no upper…
- CVE-2022-24196Feb 1, 2022risk 0.00cvss —epss 0.02
iText v7.1.17, up to (exluding)": 7.1.18 and 7.2.2 was discovered to contain an out-of-memory error via the component readStreamBytesRaw, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
- CVE-2021-39480Jan 21, 2022risk 0.00cvss —epss 0.01
Bingrep v0.8.5 was discovered to contain a memory allocation failure which can cause a Denial of Service (DoS).
- CVE-2022-23837Jan 21, 2022risk 0.00cvss —epss 0.05
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
- CVE-2022-23435Jan 19, 2022risk 0.00cvss —epss 0.01
decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service.
- CVE-2021-43045Jan 6, 2022risk 0.00cvss —epss 0.03
A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0…
- CVE-2021-45699Dec 26, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the ckb crate before 0.40.0 for Rust. Remote attackers may be able to conduct a 51% attack against the Nervos CKB blockchain by triggering an inability to allocate memory for the misbehavior HashMap.
- CVE-2021-3912Nov 11, 2021risk 0.00cvss —epss 0.01
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
- CVE-2021-41167Oct 20, 2021risk 0.00cvss —epss 0.02
modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but,…
- CVE-2021-41800Oct 11, 2021risk 0.00cvss —epss 0.02
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.
- CVE-2021-33320Aug 3, 2021risk 0.00cvss —epss 0.01
The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site…
- CVE-2021-35517Jul 13, 2021risk 0.00cvss —epss 0.11
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.