Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5401 vulnerabilities reference this CWE, most recent first.

GHSA-JVG8-88XJ-VPRR

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. watchOS before 4.2.2 is affected. The issue involves the "LinkPresentation" component. It allows remote attackers to cause a denial of service (resource consumption) via a crafted text message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-03T06:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. watchOS before 4.2.2 is affected. The issue involves the \"LinkPresentation\" component. It allows remote attackers to cause a denial of service (resource consumption) via a crafted text message.",
  "id": "GHSA-jvg8-88xj-vprr",
  "modified": "2022-05-13T01:52:35Z",
  "published": "2022-05-13T01:52:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4100"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208463"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208464"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208465"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102772"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040265"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVGW-GCCV-Q5P8

Vulnerability from github – Published: 2022-12-07 20:28 – Updated: 2023-07-14 21:53
VLAI
Summary
libp2p DoS vulnerability from lack of resource management
Details

Impact

An attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network.

Details

In the original version of the attack, the malicious node would continuously open new streams on a single connection using a stream multiplexer that doesn’t provide sufficient back pressure (mplex or yamux). While allocations per stream might be considered small, they multiply with the number of streams and connections. It is easy to defend against this one attack, e.g. by setting a strict per connection stream limit and connection limit. But there are other variations of this attack, e.g. causing memory allocations by sending partial payloads on various protocol levels, forcing the victim to buffer the partial payload for a period of time or by tricking the victim into pre-allocating buffers for messages which are never sent by the attacker.

Patches

Users are advised to upgrade to libp2p v0.45.1 or above.

References

Please see our DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.

Please see the related disclosure for go-libp2p: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw and js-libp2p: https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv

For more information

If you have any questions or comments about this advisory, please email us at security@libp2p.io.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.45.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "libp2p"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.45.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-07T20:28:46Z",
    "nvd_published_at": "2022-12-07T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim\u2019s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network.\n\n### Details\n\nIn the original version of the attack, the malicious node would continuously open new streams on a single connection using a stream multiplexer that doesn\u2019t provide sufficient back pressure (mplex or yamux). While allocations per stream might be considered small, they multiply with the number of streams and connections. It is easy to defend against this one attack, e.g. by setting a strict per connection stream limit and connection limit. But there are other variations of this attack, e.g. causing memory allocations by sending partial payloads on various protocol levels, forcing the victim to buffer the partial payload for a period of time or by tricking the victim into pre-allocating buffers for messages which are never sent by the attacker.\n\n### Patches\n\nUsers are advised to upgrade to `libp2p` `v0.45.1` or above.\n\n### References\nPlease see our DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.\n\nPlease see the related disclosure for go-libp2p: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw and js-libp2p: https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv\n\n### For more information\nIf you have any questions or comments about this advisory, please email us at security@libp2p.io.\n",
  "id": "GHSA-jvgw-gccv-q5p8",
  "modified": "2023-07-14T21:53:44Z",
  "published": "2022-12-07T20:28:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23486"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/libp2p/rust-libp2p"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0084.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "libp2p DoS vulnerability from lack of resource management"
}

GHSA-JVPF-XF32-2W4Q

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-10-15 16:08
VLAI
Summary
LlamaIndex Uncontrolled Resource Consumption vulnerability
Details

A vulnerability in the KnowledgeBaseWebReader class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the get_article_urls method, exhausting system resources and potentially crashing the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "llama-index"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-12910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T22:02:26Z",
    "nvd_published_at": "2025-03-20T10:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application.",
  "id": "GHSA-jvpf-xf32-2w4q",
  "modified": "2025-10-15T16:08:01Z",
  "published": "2025-03-20T12:32:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-11.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/run-llama/llama_index"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LlamaIndex Uncontrolled Resource Consumption vulnerability"
}

GHSA-JVRP-8JQJ-97W9

Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30
VLAI
Details

Dell PowerScale OneFS versions 8.2.2.x through 9.9.0.0 contain an uncontrolled resource consumption vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T03:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS versions 8.2.2.x through 9.9.0.0 contain an uncontrolled resource consumption vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to denial of service.",
  "id": "GHSA-jvrp-8jqj-97w9",
  "modified": "2025-01-08T03:30:24Z",
  "published": "2025-01-08T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47239"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000269590/dsa-2024-480-security-update-for-dell-powerscale-onefs-security-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVXX-V45P-V5VF

Vulnerability from github – Published: 2022-06-23 06:45 – Updated: 2022-06-29 20:37
VLAI
Summary
Denial of Service (DoS) vulnerability in RSSHub
Details

Impact

Passing some special values to the filter and filterout parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.

Patches

It is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to this or the later versions as soon as possible.

References

Full report: https://github.com/DIYgod/RSSHub/issues/10045

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/DIYgod/RSSHub/issues * Email us at i@diygod.me

Credits

@Rongronggg9

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "rsshub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-23T06:45:03Z",
    "nvd_published_at": "2022-06-29T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nPassing some special values to the `filter` and `filterout` parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.\n\n### Patches\n\nIt is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to this or the later versions as soon as possible.\n\n### References\n\nFull report: https://github.com/DIYgod/RSSHub/issues/10045\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in \u003chttps://github.com/DIYgod/RSSHub/issues\u003e\n* Email us at [i@diygod.me](mailto:i@diygod.me)\n\n### Credits\n\n@Rongronggg9 \n",
  "id": "GHSA-jvxx-v45p-v5vf",
  "modified": "2022-06-29T20:37:27Z",
  "published": "2022-06-23T06:45:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-jvxx-v45p-v5vf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31110"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DIYgod/RSSHub/issues/10045"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DIYgod/RSSHub/commit/4671720f4c5e1aaaad8fcc1dce684b6546baf2ff"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DIYgod/RSSHub/commit/5c4177441417b44a6e45c3c63e9eac2504abeb5b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DIYgod/RSSHub"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service (DoS) vulnerability in RSSHub"
}

GHSA-JW2V-CQ5X-Q68G

Vulnerability from github – Published: 2026-01-20 16:30 – Updated: 2026-02-02 22:21
VLAI
Summary
Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted
Details

Summary

Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle.

However, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time.

As a result a server would be able to create more databases, allocations, or backups than configured.

Impact

A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pterodactyl/panel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-400",
      "CWE-413",
      "CWE-667"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T16:30:17Z",
    "nvd_published_at": "2026-01-19T19:16:03Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nPterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle.\n\nHowever, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time.\n\nAs a result a server would be able to create more databases, allocations, or backups than configured.\n\n### Impact\nA malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system.",
  "id": "GHSA-jw2v-cq5x-q68g",
  "modified": "2026-02-02T22:21:44Z",
  "published": "2026-01-20T16:30:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69198"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pterodactyl/panel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted"
}

GHSA-JWG7-4HHR-69VP

Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 15:32
VLAI
Details

An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a local attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T13:15:54Z",
    "severity": "MODERATE"
  },
  "details": "An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a local attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following version:\nQsync Central 5.0.0.4 ( 2026/01/20 ) and later",
  "id": "GHSA-jwg7-4hhr-69vp",
  "modified": "2026-02-12T15:32:42Z",
  "published": "2026-02-11T15:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54150"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-26-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JWGX-VCX4-6F6J

Vulnerability from github – Published: 2023-01-11 00:30 – Updated: 2023-01-11 00:30
VLAI
Details

Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability.",
  "id": "GHSA-jwgx-vcx4-6f6j",
  "modified": "2023-01-11T00:30:47Z",
  "published": "2023-01-11T00:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21547"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21547"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21547"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JWHJ-R8GF-XM67

Vulnerability from github – Published: 2023-04-25 00:30 – Updated: 2024-04-04 03:40
VLAI
Details

Jerryscript commit 1a2c047 was discovered to contain a segmentation violation via the component ecma_find_named_property at /base/ecma-helpers.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-24T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Jerryscript commit 1a2c047 was discovered to contain a segmentation violation via the component ecma_find_named_property at /base/ecma-helpers.c.",
  "id": "GHSA-jwhj-r8gf-xm67",
  "modified": "2024-04-04T03:40:17Z",
  "published": "2023-04-25T00:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30406"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jerryscript-project/jerryscript/issues/5058"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JWR6-46Q6-XCR4

Vulnerability from github – Published: 2024-06-11 06:31 – Updated: 2024-08-23 03:30
VLAI
Details

Excessive platform resource consumption within a loop issue exists in Cybozu Garoon 5.0.0 to 5.15.2. If this vulnerability is exploited, processing a crafted mail may cause a denial-of-service (DoS) condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T06:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Excessive platform resource consumption within a loop issue exists in Cybozu Garoon 5.0.0 to 5.15.2. If this vulnerability is exploited, processing a crafted mail may cause a denial-of-service (DoS) condition.",
  "id": "GHSA-jwr6-46q6-xcr4",
  "modified": "2024-08-23T03:30:57Z",
  "published": "2024-06-11T06:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31399"
    },
    {
      "type": "WEB",
      "url": "https://cs.cybozu.co.jp/2024/007901.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN28869536"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.