CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5425 vulnerabilities reference this CWE, most recent first.
GHSA-P8HG-MM67-HMP8
Vulnerability from github – Published: 2023-11-02 09:30 – Updated: 2023-11-02 09:30Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service.
{
"affected": [],
"aliases": [
"CVE-2023-5876"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-02T09:15:08Z",
"severity": "LOW"
},
"details": "Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service.\n\n",
"id": "GHSA-p8hg-mm67-hmp8",
"modified": "2023-11-02T09:30:18Z",
"published": "2023-11-02T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5876"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P8MM-644P-PHMH
Vulnerability from github – Published: 2026-03-24 19:46 – Updated: 2026-03-27 21:19Summary
PinchTab v0.8.4 contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell -Command string using a needle derived from the profile path. In v0.8.4, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters.
If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user.
This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries.
Details
Issue 1 — PowerShell command string built with interpolated user-influenced data (internal/bridge/cleanup_windows.go in v0.8.4):
func findPIDsByPowerShell(needle string) []int {
escaped := strings.ReplaceAll(needle, `\`, `\\`)
cmd := exec.Command("powershell", "-NoProfile", "-Command",
fmt.Sprintf(`Get-CimInstance Win32_Process -Filter "Name='chrome.exe'" | `+
`Where-Object { $_.CommandLine -like '*%s*' } | `+
`Select-Object -ExpandProperty ProcessId`, escaped))
}
The needle value is interpolated directly into a PowerShell command string. Escaping backslashes alone is not sufficient to make arbitrary user-controlled content safe inside a PowerShell expression.
Issue 2 — needle is derived from launchable profile names:
The cleanup path uses:
findPIDsByPowerShell(fmt.Sprintf("--user-data-dir=%s", profileDir))
The profile directory is derived from the instance/profile name used during launch. In v0.8.4, profile name validation rejected path traversal characters such as /, \, and .., but it did not comprehensively block PowerShell metacharacters such as single quotes or statement separators.
Issue 3 — Trigger path is reachable through normal instance lifecycle APIs:
The attack path described in the report uses:
POST /instances/launchwith a craftednamePOST /instances/{id}/stopto trigger the cleanup routine
That means exploitability depends on access to privileged orchestration endpoints, not on local shell access.
PoC
Environment assumptions
- PinchTab
v0.8.4 - Windows host
- Valid API token with access to instance lifecycle endpoints
Example sequence
curl -X POST http://HOST:9867/instances/launch \
-H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/json" \
-d '{
"name": "poc'\''; Start-Process calc; $x='\''",
"mode": "headless"
}'
Then:
curl -X POST http://HOST:9867/instances/<INSTANCE_ID>/stop \
-H "Authorization: Bearer <TOKEN>"
If the payload survives the launch path and reaches the vulnerable cleanup code, the injected PowerShell executes when the Windows cleanup routine runs.
Impact
- Arbitrary PowerShell command execution on Windows as the PinchTab process user.
- Full compromise of data and processes accessible to that user account.
- Possible persistence or host-level follow-on actions within the same user security context.
- Potential repeated execution in restart-heavy environments if the vulnerable cleanup path is triggered repeatedly.
Scope And Limits
- Windows only.
- Requires authenticated, administrative-equivalent API access to instance lifecycle endpoints.
- Does not by itself elevate beyond the privileges of the Windows user running PinchTab.
- This is stronger than a policy bypass or low-risk hardening gap, but narrower than unauthenticated remote code execution.
Suggested Remediation
- Do not interpolate user-influenced values into PowerShell
-Commandstrings. - Pass search terms through environment variables or structured arguments instead of code generation.
- Keep strict validation on profile names, but do not rely on input validation alone as the primary defense.
- Add regression tests covering PowerShell metacharacters in profile-derived values on Windows.
Steps to Reproduce:
Environment Setup: Target: PinchTab v0.8.4 (Windows build) Platform: Windows only
1. Launch Instance with Malicious Profile Name
curl -X POST http://[server-ip]:9867/instances/launch \
-H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/json" \
-d '{
"name": "poc'\''; Start-Process calc; $x='\''",
"mode": "headless"
}'
2. Stop Instance to Trigger Injection
curl -X POST http://[server-ip]:9867/instances/<INSTANCE_ID>/stop \
-H "Authorization: Bearer <TOKEN>"
Additional Observation — Repeated Execution (DoS Amplification)
In environments where instances are automatically restarted (e.g., always-on mode), the cleanup routine is triggered repeatedly.
Because the injection occurs during cleanup, the payload is executed on every restart cycle: Continuous spawning of calc.exe processes Resource exhaustion System instability or crash
Impact
This vulnerability allows an authenticated attacker to execute arbitrary PowerShell commands on the Windows host running PinchTab. Impact - full host compromise including command execution, persistence, and data access; Root Cause - user-controlled input (profile name) is embedded into a PowerShell command without proper neutralization of special characters; Remediation - avoid constructing shell commands using string interpolation, enforce strict input validation (allowlist), and use structured command execution instead of powershell -Command.
Additionally, because the injection is triggered during the cleanup routine, environments with automatic instance restart behavior may repeatedly execute the injected payload, leading to uncontrolled process creation and resource exhaustion. This enables a reliable denial-of-service condition in addition to remote code execution.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/pinchtab/pinchtab/cmd/pinchtab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/pinchtab/pinchtab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33623"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:46:39Z",
"nvd_published_at": "2026-03-26T21:17:06Z",
"severity": "MODERATE"
},
"details": "### Summary\nPinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters.\n\nIf an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user.\n\nThis is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries.\n\n### Details\n**Issue 1 \u2014 PowerShell command string built with interpolated user-influenced data (`internal/bridge/cleanup_windows.go` in `v0.8.4`):**\n\n```\nfunc findPIDsByPowerShell(needle string) []int {\n escaped := strings.ReplaceAll(needle, `\\`, `\\\\`)\n cmd := exec.Command(\"powershell\", \"-NoProfile\", \"-Command\",\n fmt.Sprintf(`Get-CimInstance Win32_Process -Filter \"Name=\u0027chrome.exe\u0027\" | `+\n `Where-Object { $_.CommandLine -like \u0027*%s*\u0027 } | `+\n `Select-Object -ExpandProperty ProcessId`, escaped))\n}\n```\n\nThe `needle` value is interpolated directly into a PowerShell command string. Escaping backslashes alone is not sufficient to make arbitrary user-controlled content safe inside a PowerShell expression.\n\n**Issue 2 \u2014 `needle` is derived from launchable profile names:**\n\nThe cleanup path uses:\n\n```\nfindPIDsByPowerShell(fmt.Sprintf(\"--user-data-dir=%s\", profileDir))\n```\n\nThe profile directory is derived from the instance/profile name used during launch. In `v0.8.4`, profile name validation rejected path traversal characters such as `/`, `\\`, and `..`, but it did not comprehensively block PowerShell metacharacters such as single quotes or statement separators.\n\n**Issue 3 \u2014 Trigger path is reachable through normal instance lifecycle APIs:**\n\nThe attack path described in the report uses:\n\n1. `POST /instances/launch` with a crafted `name`\n2. `POST /instances/{id}/stop` to trigger the cleanup routine\n\nThat means exploitability depends on access to privileged orchestration endpoints, not on local shell access.\n\n### PoC\n**Environment assumptions**\n\n- PinchTab `v0.8.4`\n- Windows host\n- Valid API token with access to instance lifecycle endpoints\n\n**Example sequence**\n\n```bash\ncurl -X POST http://HOST:9867/instances/launch \\\n -H \"Authorization: Bearer \u003cTOKEN\u003e\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"name\": \"poc\u0027\\\u0027\u0027; Start-Process calc; $x=\u0027\\\u0027\u0027\",\n \"mode\": \"headless\"\n }\u0027\n```\n\nThen:\n\n```bash\ncurl -X POST http://HOST:9867/instances/\u003cINSTANCE_ID\u003e/stop \\\n -H \"Authorization: Bearer \u003cTOKEN\u003e\"\n```\n\nIf the payload survives the launch path and reaches the vulnerable cleanup code, the injected PowerShell executes when the Windows cleanup routine runs.\n\n### Impact\n1. Arbitrary PowerShell command execution on Windows as the PinchTab process user.\n2. Full compromise of data and processes accessible to that user account.\n3. Possible persistence or host-level follow-on actions within the same user security context.\n4. Potential repeated execution in restart-heavy environments if the vulnerable cleanup path is triggered repeatedly.\n\n### Scope And Limits\n1. Windows only.\n2. Requires authenticated, administrative-equivalent API access to instance lifecycle endpoints.\n3. Does not by itself elevate beyond the privileges of the Windows user running PinchTab.\n4. This is stronger than a policy bypass or low-risk hardening gap, but narrower than unauthenticated remote code execution.\n\n### Suggested Remediation\n1. Do not interpolate user-influenced values into PowerShell `-Command` strings.\n2. Pass search terms through environment variables or structured arguments instead of code generation.\n3. Keep strict validation on profile names, but do not rely on input validation alone as the primary defense.\n4. Add regression tests covering PowerShell metacharacters in profile-derived values on Windows.\n\n\n\n\n### **Steps to Reproduce:**\n\n**Environment Setup:**\nTarget: PinchTab v0.8.4 (Windows build)\nPlatform: Windows only\n\n**1. Launch Instance with Malicious Profile Name**\n\n```\ncurl -X POST http://[server-ip]:9867/instances/launch \\\n -H \"Authorization: Bearer \u003cTOKEN\u003e\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"name\": \"poc\u0027\\\u0027\u0027; Start-Process calc; $x=\u0027\\\u0027\u0027\",\n \"mode\": \"headless\"\n }\u0027\n```\n\n**2. Stop Instance to Trigger Injection**\n\n```\ncurl -X POST http://[server-ip]:9867/instances/\u003cINSTANCE_ID\u003e/stop \\\n -H \"Authorization: Bearer \u003cTOKEN\u003e\"\n```\n\n### **Additional Observation \u2014 Repeated Execution (DoS Amplification)**\n\n**In environments where instances are automatically restarted (e.g., always-on mode), the cleanup routine is triggered repeatedly.**\n\nBecause the injection occurs during cleanup, the payload is executed on every restart cycle:\nContinuous spawning of calc.exe processes\nResource exhaustion\nSystem instability or crash\n\n### **Impact**\n\nThis vulnerability allows an authenticated attacker to execute arbitrary PowerShell commands on the Windows host running PinchTab. Impact - full host compromise including command execution, persistence, and data access; Root Cause - user-controlled input (profile name) is embedded into a PowerShell command without proper neutralization of special characters; Remediation - avoid constructing shell commands using string interpolation, enforce strict input validation (allowlist), and use structured command execution instead of powershell -Command.\n\nAdditionally, because the injection is triggered during the cleanup routine, environments with automatic instance restart behavior may repeatedly execute the injected payload, leading to uncontrolled process creation and resource exhaustion. This enables a reliable denial-of-service condition in addition to remote code execution.",
"id": "GHSA-p8mm-644p-phmh",
"modified": "2026-03-27T21:19:09Z",
"published": "2026-03-24T19:46:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33623"
},
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd"
},
{
"type": "PACKAGE",
"url": "https://github.com/pinchtab/pinchtab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution"
}
GHSA-P8PG-R36G-7VJR
Vulnerability from github – Published: 2022-01-07 00:00 – Updated: 2022-07-13 00:01In libming 0.4.8, a memory exhaustion vulnerability exist in the function cws2fws in util/main.c. Remote attackers could launch denial of service attacks by submitting a crafted SWF file that exploits this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-44590"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-06T14:15:00Z",
"severity": "MODERATE"
},
"details": "In libming 0.4.8, a memory exhaustion vulnerability exist in the function cws2fws in util/main.c. Remote attackers could launch denial of service attacks by submitting a crafted SWF file that exploits this vulnerability.",
"id": "GHSA-p8pg-r36g-7vjr",
"modified": "2022-07-13T00:01:49Z",
"published": "2022-01-07T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44590"
},
{
"type": "WEB",
"url": "https://github.com/libming/libming/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/libming/libming"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8VW-M6QQ-W42V
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2023-12-15 18:30read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
{
"affected": [],
"aliases": [
"CVE-2022-48564"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:31Z",
"severity": "MODERATE"
},
"details": "read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.",
"id": "GHSA-p8vw-m6qq-w42v",
"modified": "2023-12-15T18:30:27Z",
"published": "2023-08-22T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48564"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue42103"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230929-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P94W-QFCW-PQ69
Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 21:31An uncontrolled resource consumption vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later
{
"affected": [],
"aliases": [
"CVE-2025-62854"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T13:15:57Z",
"severity": "LOW"
},
"details": "An uncontrolled resource consumption vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following version:\nFile Station 5 5.5.6.5190 and later",
"id": "GHSA-p94w-qfcw-pq69",
"modified": "2026-02-12T21:31:25Z",
"published": "2026-02-11T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62854"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P95H-29V8-J2H6
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-19 19:00A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high CPU usage.
{
"affected": [],
"aliases": [
"CVE-2022-2931"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T16:15:00Z",
"severity": "HIGH"
},
"details": "A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high CPU usage.",
"id": "GHSA-p95h-29v8-j2h6",
"modified": "2022-10-19T19:00:19Z",
"published": "2022-10-17T19:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2931"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1543718"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2931.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/361982"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P96P-59V7-XXP6
Vulnerability from github – Published: 2023-06-06 18:30 – Updated: 2024-04-04 04:36A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
{
"affected": [],
"aliases": [
"CVE-2023-0921"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T17:15:12Z",
"severity": "MODERATE"
},
"details": "A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.",
"id": "GHSA-p96p-59v7-xxp6",
"modified": "2024-04-04T04:36:09Z",
"published": "2023-06-06T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0921"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1869839"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0921.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/392433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P995-CQ5G-4FXX
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23mm/huge_memory.c in the Linux kernel before 2.6.38-rc5 does not prevent creation of a transparent huge page (THP) during the existence of a temporary stack for an exec system call, which allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact via a crafted application.
{
"affected": [],
"aliases": [
"CVE-2011-0999"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-02-23T19:00:00Z",
"severity": "MODERATE"
},
"details": "mm/huge_memory.c in the Linux kernel before 2.6.38-rc5 does not prevent creation of a transparent huge page (THP) during the existence of a temporary stack for an exec system call, which allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact via a crafted application.",
"id": "GHSA-p995-cq5g-4fxx",
"modified": "2022-05-13T01:23:53Z",
"published": "2022-05-13T01:23:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0999"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=678209"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65535"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=a7d6e4ecdb7648478ddec76d30d87d03d6e22b31"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a7d6e4ecdb7648478ddec76d30d87d03d6e22b31"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/02/17/3"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/02/17/6"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.38-rc5"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/46442"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P9F8-GQJF-M75J
Vulnerability from github – Published: 2021-05-06 17:28 – Updated: 2021-05-26 20:05Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fastify-multipart"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8136"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T22:07:09Z",
"nvd_published_at": "2020-03-20T19:15:00Z",
"severity": "MODERATE"
},
"details": "Prototype pollution vulnerability in `fastify-multipart` \u003c 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.",
"id": "GHSA-p9f8-gqjf-m75j",
"modified": "2021-05-26T20:05:47Z",
"published": "2021-05-06T17:28:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8136"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/804772"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Resource Consumption in fastify-multipart"
}
GHSA-P9J9-QQWF-J574
Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2022-08-29 20:06MaxQueryDuration not honoured in Samba AD DC LDAP
{
"affected": [],
"aliases": [
"CVE-2021-3670"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-23T16:15:00Z",
"severity": "MODERATE"
},
"details": "MaxQueryDuration not honoured in Samba AD DC LDAP",
"id": "GHSA-p9j9-qqwf-j574",
"modified": "2022-08-29T20:06:48Z",
"published": "2022-08-24T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3670"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2077533"
},
{
"type": "WEB",
"url": "https://bugzilla.samba.org/show_bug.cgi?id=14694"
},
{
"type": "WEB",
"url": "https://gitlab.com/samba-team/samba/-/commit/1d5b155619bc532c46932965b215bd73a920e56f"
},
{
"type": "WEB",
"url": "https://gitlab.com/samba-team/samba/-/commit/2b3af3b560c9617a233c131376c870fce146c002"
},
{
"type": "WEB",
"url": "https://gitlab.com/samba-team/samba/-/commit/3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393"
},
{
"type": "WEB",
"url": "https://gitlab.com/samba-team/samba/-/commit/5f0590362c5c0c5ee20503a67467f9be2d50e73b"
},
{
"type": "WEB",
"url": "https://gitlab.com/samba-team/samba/-/commit/86fe9d48883f87c928bf31ccbd275db420386803"
},
{
"type": "WEB",
"url": "https://gitlab.com/samba-team/samba/-/commit/dcfcafdbf756e12d9077ad7920eea25478c29f81"
},
{
"type": "WEB",
"url": "https://gitlab.com/samba-team/samba/-/commit/e1ab0c43629686d1d2c0b0b2bcdc90057a792049"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.