VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 8 of 49
  • CVE-2024-21634HigJan 3, 2024
    risk 0.49cvss 7.5epss 0.01

    Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into…

  • CVE-2023-39325HigOct 11, 2023
    risk 0.49cvss 7.5epss 0.04

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the…

  • CVE-2023-37279HigSep 20, 2023
    risk 0.49cvss 7.5epss 0.01

    Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param `days`. The vulnerability is related to how the backend reads the `days` URL query…

  • CVE-2023-32186HigSep 19, 2023
    risk 0.49cvss 7.5epss 0.01

    A Allocation of Resources Without Limits or Throttling vulnerability in SUSE RKE2 allows attackers with access to K3s servers apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects RKE2: from 1.24.0 before 1.24.17+rke2r1, from v1.25.0 before…

  • CVE-2023-32187HigSep 18, 2023
    risk 0.49cvss 7.5epss 0.01

    An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before…

  • CVE-2020-35141HigAug 11, 2023
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in OFPQueueGetConfigReply in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

  • CVE-2020-35139HigAug 11, 2023
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in OFPBundleCtrlMsg in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

  • CVE-2023-33953HigAug 9, 2023
    risk 0.49cvss 7.5epss 0.00

    gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser -…

  • CVE-2023-27530HigMar 10, 2023
    risk 0.49cvss 7.5epss 0.02

    A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.

  • CVE-2022-23487HigDec 7, 2022
    risk 0.49cvss 7.5epss 0.01

    js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can…

  • CVE-2022-23486HigDec 7, 2022
    risk 0.49cvss 7.5epss 0.01

    libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of…

  • CVE-2022-41932HigNov 23, 2022
    risk 0.49cvss 7.5epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database…

  • CVE-2022-36324HigAug 10, 2022
    risk 0.49cvss 7.5epss 0.01

    Affected devices do not properly handle the renegotiation of SSL/TLS parameters. This could allow an unauthenticated remote attacker to bypass the TCP brute force prevention and lead to a denial of service condition for the duration of the attack.

  • CVE-2022-36124HigAug 9, 2022
    risk 0.49cvss 7.5epss 0.01

    It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version…

  • CVE-2022-22979HigJun 21, 2022
    risk 0.49cvss 7.5epss 0.01

    In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework.

  • CVE-2022-21822HigMar 17, 2022
    risk 0.49cvss 7.5epss 0.01

    NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable.

  • CVE-2021-32476HigMar 11, 2022
    risk 0.49cvss 7.5epss 0.01

    A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

  • CVE-2022-24685HigFeb 28, 2022
    risk 0.49cvss 7.5epss 0.02

    HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.

  • CVE-2022-23913HigFeb 4, 2022
    risk 0.49cvss 7.5epss 0.03

    In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.

  • CVE-2021-39480HigJan 21, 2022
    risk 0.49cvss 7.5epss 0.01

    Bingrep v0.8.5 was discovered to contain a memory allocation failure which can cause a Denial of Service (DoS).