CWE-770
Allocation of Resources Without Limits or Throttling
Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528
CVEs mapped to this weakness (964)
page 8 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-21634 | — | Hig | 0.49 | 7.5 | 0.01 | Jan 3, 2024 | Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into… | |
| CVE-2023-39325 | — | Hig | 0.49 | 7.5 | 0.04 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the… | |
| CVE-2023-37279 | Hig | 0.49 | 7.5 | 0.01 | Sep 20, 2023 | Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param `days`. The vulnerability is related to how the backend reads the `days` URL query… | ||
| CVE-2023-32186 | Hig | 0.49 | 7.5 | 0.01 | Sep 19, 2023 | A Allocation of Resources Without Limits or Throttling vulnerability in SUSE RKE2 allows attackers with access to K3s servers apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects RKE2: from 1.24.0 before 1.24.17+rke2r1, from v1.25.0 before… | ||
| CVE-2023-32187 | — | Hig | 0.49 | 7.5 | 0.01 | Sep 18, 2023 | An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before… | |
| CVE-2020-35141 | — | Hig | 0.49 | 7.5 | 0.01 | Aug 11, 2023 | An issue was discovered in OFPQueueGetConfigReply in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop). | |
| CVE-2020-35139 | — | Hig | 0.49 | 7.5 | 0.01 | Aug 11, 2023 | An issue was discovered in OFPBundleCtrlMsg in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop). | |
| CVE-2023-33953 | — | Hig | 0.49 | 7.5 | 0.00 | Aug 9, 2023 | gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser -… | |
| CVE-2023-27530 | Hig | 0.49 | 7.5 | 0.02 | Mar 10, 2023 | A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. | ||
| CVE-2022-23487 | Hig | 0.49 | 7.5 | 0.01 | Dec 7, 2022 | js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can… | ||
| CVE-2022-23486 | Hig | 0.49 | 7.5 | 0.01 | Dec 7, 2022 | libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of… | ||
| CVE-2022-41932 | Hig | 0.49 | 7.5 | 0.01 | Nov 23, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database… | ||
| CVE-2022-36324 | Hig | 0.49 | 7.5 | 0.01 | Aug 10, 2022 | Affected devices do not properly handle the renegotiation of SSL/TLS parameters. This could allow an unauthenticated remote attacker to bypass the TCP brute force prevention and lead to a denial of service condition for the duration of the attack. | ||
| CVE-2022-36124 | Hig | 0.49 | 7.5 | 0.01 | Aug 9, 2022 | It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version… | ||
| CVE-2022-22979 | Hig | 0.49 | 7.5 | 0.01 | Jun 21, 2022 | In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework. | ||
| CVE-2022-21822 | — | Hig | 0.49 | 7.5 | 0.01 | Mar 17, 2022 | NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable. | |
| CVE-2021-32476 | Hig | 0.49 | 7.5 | 0.01 | Mar 11, 2022 | A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | ||
| CVE-2022-24685 | Hig | 0.49 | 7.5 | 0.02 | Feb 28, 2022 | HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6. | ||
| CVE-2022-23913 | — | Hig | 0.49 | 7.5 | 0.03 | Feb 4, 2022 | In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. | |
| CVE-2021-39480 | — | Hig | 0.49 | 7.5 | 0.01 | Jan 21, 2022 | Bingrep v0.8.5 was discovered to contain a memory allocation failure which can cause a Denial of Service (DoS). |
- risk 0.49cvss 7.5epss 0.01
Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into…
- risk 0.49cvss 7.5epss 0.04
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the…
- risk 0.49cvss 7.5epss 0.01
Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param `days`. The vulnerability is related to how the backend reads the `days` URL query…
- risk 0.49cvss 7.5epss 0.01
A Allocation of Resources Without Limits or Throttling vulnerability in SUSE RKE2 allows attackers with access to K3s servers apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects RKE2: from 1.24.0 before 1.24.17+rke2r1, from v1.25.0 before…
- risk 0.49cvss 7.5epss 0.01
An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before…
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in OFPQueueGetConfigReply in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in OFPBundleCtrlMsg in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).
- risk 0.49cvss 7.5epss 0.00
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser -…
- risk 0.49cvss 7.5epss 0.02
A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
- risk 0.49cvss 7.5epss 0.01
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can…
- risk 0.49cvss 7.5epss 0.01
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of…
- risk 0.49cvss 7.5epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database…
- risk 0.49cvss 7.5epss 0.01
Affected devices do not properly handle the renegotiation of SSL/TLS parameters. This could allow an unauthenticated remote attacker to bypass the TCP brute force prevention and lead to a denial of service condition for the duration of the attack.
- risk 0.49cvss 7.5epss 0.01
It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version…
- risk 0.49cvss 7.5epss 0.01
In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework.
- risk 0.49cvss 7.5epss 0.01
NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable.
- risk 0.49cvss 7.5epss 0.01
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
- risk 0.49cvss 7.5epss 0.02
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.
- risk 0.49cvss 7.5epss 0.03
In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.
- risk 0.49cvss 7.5epss 0.01
Bingrep v0.8.5 was discovered to contain a memory allocation failure which can cause a Denial of Service (DoS).