CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5423 vulnerabilities reference this CWE, most recent first.
GHSA-P4W7-QPHW-GM3C
Vulnerability from github – Published: 2023-01-11 09:30 – Updated: 2023-01-19 00:30Insufficient fencing and checks in System Management Unit (SMU) may result in access to invalid message port registers that could result in a potential denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2021-26355"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-11T08:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient fencing and checks in System Management Unit (SMU) may result in access to invalid message port registers that could result in a potential denial-of-service.",
"id": "GHSA-p4w7-qphw-gm3c",
"modified": "2023-01-19T00:30:31Z",
"published": "2023-01-11T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26355"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-1032"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P4XG-CPR9-VWVJ
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2023-11-02 16:05Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.wildfly:wildfly-undertow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0.0.Beta1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-9589"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-28T21:38:39Z",
"nvd_published_at": "2018-03-12T15:29:00Z",
"severity": "HIGH"
},
"details": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection.",
"id": "GHSA-p4xg-cpr9-vwvj",
"modified": "2023-11-02T16:05:42Z",
"published": "2022-05-13T01:38:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9589"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0872"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0873"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3454"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3455"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3458"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782"
},
{
"type": "PACKAGE",
"url": "https://github.com/wildfly/wildfly"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227180917/https://www.securityfocus.com/bid/97060"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0830.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0831.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0832.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0834.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0876.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Red Hat Wildfly DoS"
}
GHSA-P536-VVPP-9MC8
Vulnerability from github – Published: 2026-02-19 19:40 – Updated: 2026-03-05 21:42Summary
The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.14 - Fixed versions:
>= 2026.2.15
Impact
An attacker can social-engineer a user (or any automation that uses web_fetch) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service.
Fix
The Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML.
Fix Commit(s)
- 166cf6a3e04c7df42bea70a7ad5ce2b9df46d147
Release Process Note
This advisory is prepared for the next npm release. Once openclaw@2026.2.15 is published, publish this advisory without further edits.
Thanks @xuemian168 for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28394"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-19T19:40:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe `web_fetch` tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.14`\n- Fixed versions: `\u003e= 2026.2.15`\n\n### Impact\nAn attacker can social-engineer a user (or any automation that uses `web_fetch`) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service.\n\n### Fix\nThe Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML.\n\n### Fix Commit(s)\n- 166cf6a3e04c7df42bea70a7ad5ce2b9df46d147\n\n### Release Process Note\nThis advisory is prepared for the next npm release. Once `openclaw@2026.2.15` is published, publish this advisory without further edits.\n\nThanks @xuemian168 for reporting.",
"id": "GHSA-p536-vvpp-9mc8",
"modified": "2026-03-05T21:42:20Z",
"published": "2026-02-19T19:40:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p536-vvpp-9mc8"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw has a Web Fetch DoS via unbounded response parsing"
}
GHSA-P53P-8QCJ-MQ4G
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39There is a resource management errors vulnerability in Huawei P30. Local attackers construct broadcast message for some application, causing this application to send this broadcast message and impact the customer's use experience.
{
"affected": [],
"aliases": [
"CVE-2020-9203"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-13T22:15:00Z",
"severity": "LOW"
},
"details": "There is a resource management errors vulnerability in Huawei P30. Local attackers construct broadcast message for some application, causing this application to send this broadcast message and impact the customer\u0027s use experience.",
"id": "GHSA-p53p-8qcj-mq4g",
"modified": "2022-05-24T17:39:01Z",
"published": "2022-05-24T17:39:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9203"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201230-01-resourcemanagement-en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P543-XPFM-54CP
Vulnerability from github – Published: 2025-10-07 17:26 – Updated: 2025-10-13 15:29Summary
Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
Details
While searching for the first boundary, the parser appends incoming data into a shared buffer (@sbuf.concat(content)) and scans for the boundary pattern:
@sbuf.scan_until(@body_regex)
If the boundary is not yet found, the parser continues buffering data indefinitely. There is no trimming or size cap on the preamble, allowing attackers to send arbitrary amounts of data before the first boundary.
Impact
Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection.
Mitigation
- Upgrade: Use a patched version of Rack that enforces a preamble size limit (e.g., 16 KiB) or discards preamble data entirely per RFC 2046 § 5.1.1.
- Workarounds:
- Limit total request body size at the proxy or web server level.
- Monitor memory and set per-process limits to prevent OOM conditions.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.1"
},
{
"fixed": "3.1.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61770"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-07T17:26:16Z",
"nvd_published_at": "2025-10-07T15:16:02Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.\n\n## Details\n\nWhile searching for the first boundary, the parser appends incoming data into a shared buffer (`@sbuf.concat(content)`) and scans for the boundary pattern:\n\n```ruby\n@sbuf.scan_until(@body_regex)\n```\n\nIf the boundary is not yet found, the parser continues buffering data indefinitely. There is no trimming or size cap on the preamble, allowing attackers to send arbitrary amounts of data before the first boundary.\n\n## Impact\n\nRemote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection.\n\n## Mitigation\n\n* **Upgrade:** Use a patched version of Rack that enforces a preamble size limit (e.g., 16 KiB) or discards preamble data entirely per [RFC 2046 \u00a7 5.1.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.1).\n* **Workarounds:**\n * Limit total request body size at the proxy or web server level.\n * Monitor memory and set per-process limits to prevent OOM conditions.",
"id": "GHSA-p543-xpfm-54cp",
"modified": "2025-10-13T15:29:37Z",
"published": "2025-10-07T17:26:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rack\u0027s unbounded multipart preamble buffering enables DoS (memory exhaustion)"
}
GHSA-P54F-45P9-JG5Q
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2024-04-04 02:50SHAREit through 4.0.6.177 does not check the body length from the received packet header (which is used to allocate memory for the next set of data). This could lead to a system denial of service due to uncontrolled memory allocation.
{
"affected": [],
"aliases": [
"CVE-2019-14941"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-27T17:15:00Z",
"severity": "HIGH"
},
"details": "SHAREit through 4.0.6.177 does not check the body length from the received packet header (which is used to allocate memory for the next set of data). This could lead to a system denial of service due to uncontrolled memory allocation.",
"id": "GHSA-p54f-45p9-jg5q",
"modified": "2024-04-04T02:50:17Z",
"published": "2022-05-24T17:16:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14941"
},
{
"type": "WEB",
"url": "https://github.com/nathunandwani/shareit-cwe-789"
},
{
"type": "WEB",
"url": "https://shareit.one/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P55V-C9MV-362M
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2017-1000476"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-03T18:29:00Z",
"severity": "HIGH"
},
"details": "ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.",
"id": "GHSA-p55v-c9mv-362m",
"modified": "2022-05-13T01:17:27Z",
"published": "2022-05-13T01:17:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000476"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/867"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00002.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102428"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P55X-7X9V-Q8M4
Vulnerability from github – Published: 2021-06-29 21:45 – Updated: 2021-05-20 20:59A denial of service flaw was found in miekg-dns before 1.0.4. A remote attacker could use carefully timed TCP packets to block the DNS server from accepting new connections.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/miekg/dns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-15133"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T20:59:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A denial of service flaw was found in miekg-dns before 1.0.4. A remote attacker could use carefully timed TCP packets to block the DNS server from accepting new connections.",
"id": "GHSA-p55x-7x9v-q8m4",
"modified": "2021-05-20T20:59:20Z",
"published": "2021-06-29T21:45:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15133"
},
{
"type": "WEB",
"url": "https://github.com/miekg/dns/issues/627"
},
{
"type": "WEB",
"url": "https://github.com/miekg/dns/pull/631"
},
{
"type": "WEB",
"url": "https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1538763"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2020-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in miekg-dns"
}
GHSA-P564-948G-FPQ9
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2023-11-04 00:30GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
{
"affected": [],
"aliases": [
"CVE-2022-48064"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:30Z",
"severity": "MODERATE"
},
"details": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"id": "GHSA-p564-948g-fpq9",
"modified": "2023-11-04T00:30:21Z",
"published": "2023-08-22T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231006-0008"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29922"
},
{
"type": "WEB",
"url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8f2c64de86bc3d7556121fe296dd679000283931"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P572-R8G2-HV9H
Vulnerability from github – Published: 2023-09-27 18:30 – Updated: 2024-01-25 18:30A vulnerability in the packet processing functionality of Cisco access point (AP) software could allow an unauthenticated, adjacent attacker to exhaust resources on an affected device.
This vulnerability is due to insufficient management of resources when handling certain types of traffic. An attacker could exploit this vulnerability by sending a series of specific wireless packets to an affected device. A successful exploit could allow the attacker to consume resources on an affected device. A sustained attack could lead to the disruption of the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel and intermittent loss of wireless client traffic.
{
"affected": [],
"aliases": [
"CVE-2023-20268"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T18:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the packet processing functionality of Cisco access point (AP) software could allow an unauthenticated, adjacent attacker to exhaust resources on an affected device.\n\n This vulnerability is due to insufficient management of resources when handling certain types of traffic. An attacker could exploit this vulnerability by sending a series of specific wireless packets to an affected device. A successful exploit could allow the attacker to consume resources on an affected device. A sustained attack could lead to the disruption of the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel and intermittent loss of wireless client traffic.",
"id": "GHSA-p572-r8g2-hv9h",
"modified": "2024-01-25T18:30:44Z",
"published": "2023-09-27T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20268"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-dos-capwap-DDMCZS4m"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.