CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-WHJ4-6X5X-4V2J
Vulnerability from github – Published: 2026-04-13 19:22 – Updated: 2026-04-27 16:21Impact
Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).
Patches
The amount of data read is now limited to the necessary amount. Fixed in Pillow 12.2.0 (PR #9521).
Workarounds
Avoid Pillow >= 10.3.0, < 12.2.0 Only open specific image formats, excluding FITS.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pillow"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "12.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40192"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-13T19:22:35Z",
"nvd_published_at": "2026-04-15T23:16:10Z",
"severity": "HIGH"
},
"details": "### Impact\nPillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).\n\n### Patches\nThe amount of data read is now limited to the necessary amount.\nFixed in Pillow 12.2.0 (PR #9521).\n\n### Workarounds\nAvoid Pillow \u003e= 10.3.0, \u003c 12.2.0\nOnly open [specific image formats](https://pillow.readthedocs.io/en/stable/releasenotes/8.0.0.html#image-open-add-formats-parameter), excluding FITS.",
"id": "GHSA-whj4-6x5x-4v2j",
"modified": "2026-04-27T16:21:39Z",
"published": "2026-04-13T19:22:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40192"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/pull/9521"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-pillow/Pillow"
},
{
"type": "WEB",
"url": "https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "FITS GZIP decompression bomb in Pillow"
}
GHSA-WHJ9-M24X-QHHP
Vulnerability from github – Published: 2023-06-22 20:00 – Updated: 2023-06-22 20:00Coordinated Disclosure Timeline
- 10.06.2023: Issue reported to IntellectualSites
- 11.06.2023: Issue is acknowledged
- 12.06.2023: Issue has been fixed
- 22.06.2023: Advisory has been published
Impacted version range
Before 2.6.3
Details
Proof of Concept
As a user, do the following:
- Select position 1 via
//pos1 - Select position 2 adding the "Infinity" keyword via
//pos2 Infinity - Execute any further operation.
The steps 1 and 2 are interchangeable.
Impact
Such a task has a possibility of bringing the performing server down.
CVE
- CVE-2023-35925
Credit
This issue was discovered and reported by @SuperMonis.
Solution
On June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability. We strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible.
Workarounds
There is no direct mitigation besides updating FastAsyncWorldEdit to a patched version.
Additional Information
Users with access to the logs/ folder or shell access on their server can try to identify possible abuses of this issue by going through the logs.
To sieve through the data, you can use the regex query \/\/pos[12] Infinity, then investigate all log entries that return results.
Disclosure Policy
If you discover a security vulnerability within our software, please report the issue according to our vulnerability disclosure policy.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.fastasyncworldedit:FastAsyncWorldEdit-Core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fastasyncworldedit:FastAsyncWorldEdit-Bukkit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-35925"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-22T20:00:36Z",
"nvd_published_at": "2023-06-23T16:15:09Z",
"severity": "MODERATE"
},
"details": "### Coordinated Disclosure Timeline\n\n- 10.06.2023: Issue reported to IntellectualSites\n- 11.06.2023: Issue is acknowledged\n- 12.06.2023: Issue has been fixed\n- 22.06.2023: Advisory has been published\n\n### Impacted version range\n\nBefore 2.6.3\n\n### Details\n\n#### Proof of Concept\n\nAs a user, do the following:\n\n1. Select position 1 via `//pos1`\n2. Select position 2 adding the \"Infinity\" keyword via `//pos2 Infinity`\n3. Execute any further operation.\n\nThe steps 1 and 2 are interchangeable.\n\n#### Impact\n\nSuch a task has a possibility of bringing the performing server down.\n\n#### CVE\n\n- CVE-2023-35925\n\n#### Credit\n\nThis issue was discovered and [reported](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md) by @SuperMonis.\n\n### Solution\n\nOn June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability.\nWe strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible.\n\n### Workarounds\n\nThere is no direct mitigation besides updating FastAsyncWorldEdit to a patched version.\n\n### Additional Information\n\nUsers with access to the `logs/` folder or shell access on their server can try to identify possible abuses of this issue by going through the logs.\nTo sieve through the data, you can use the regex query `\\/\\/pos[12] Infinity`, then investigate all log entries that return results.\n\n### Disclosure Policy\n\nIf you discover a security vulnerability within our software, please report the issue according to our [vulnerability disclosure policy](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md).",
"id": "GHSA-whj9-m24x-qhhp",
"modified": "2023-06-22T20:00:36Z",
"published": "2023-06-22T20:00:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35925"
},
{
"type": "WEB",
"url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
},
{
"type": "PACKAGE",
"url": "https://github.com/IntellectualSites/FastAsyncWorldEdit"
},
{
"type": "WEB",
"url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption"
}
GHSA-WHVX-2M69-J66G
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-11-14 19:00In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
{
"affected": [],
"aliases": [
"CVE-2019-20446"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-02T14:15:00Z",
"severity": "MODERATE"
},
"details": "In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.",
"id": "GHSA-whvx-2m69-j66g",
"modified": "2022-11-14T19:00:25Z",
"published": "2022-05-24T17:07:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20446"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/librsvg/issues/515"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221111-0004"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4436-1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJ37-MPQ9-XRCM
Vulnerability from github – Published: 2024-04-26 09:30 – Updated: 2025-05-12 21:48Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.6.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.6.0-rc1"
},
{
"fixed": "9.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.5.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.4.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.4.0"
},
{
"fixed": "9.4.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.1.11"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "8.1.0"
},
{
"fixed": "8.1.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-4183"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-26T19:10:41Z",
"nvd_published_at": "2024-04-26T09:15:12Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.",
"id": "GHSA-wj37-mpq9-xrcm",
"modified": "2025-05-12T21:48:38Z",
"published": "2024-04-26T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4183"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/86920d641760552c5aafa5e1d14c93bd30039bc4"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/9d81eee979aee93374bff8ba6714d805e12ffb03"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/b45c3dac4c160992a1ce757ade968e8f5ec506c1"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/bc699e6789cf3ba1544235087897699aaa639e7d"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to limit the number of active sessions"
}
GHSA-WJ55-VQCQ-GXCP
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2025-11-04 00:30There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
{
"affected": [],
"aliases": [
"CVE-2021-3733"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:42:00Z",
"severity": "MODERATE"
},
"details": "There\u0027s a flaw in urllib\u0027s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.",
"id": "GHSA-wj55-vqcq-gxcp",
"modified": "2025-11-04T00:30:31Z",
"published": "2022-03-11T00:02:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/24391"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue43075"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995234"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220407-0001"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2021-3733"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJG4-WR5G-F28X
Vulnerability from github – Published: 2022-04-29 02:59 – Updated: 2022-04-29 02:59Opera 7.54 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.
{
"affected": [],
"aliases": [
"CVE-2004-1201"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-01-10T05:00:00Z",
"severity": "MODERATE"
},
"details": "Opera 7.54 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.",
"id": "GHSA-wjg4-wr5g-f28x",
"modified": "2022-04-29T02:59:09Z",
"published": "2022-04-29T02:59:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2004-1201"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18282"
},
{
"type": "WEB",
"url": "http://marc.info/?l=full-disclosure\u0026m=110141347502530\u0026w=2"
},
{
"type": "WEB",
"url": "http://marc.info/?l=full-disclosure\u0026m=110144136213993\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/11762"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WJH7-W5FX-RQ52
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2023-08-16 18:30A vulnerability in the TCP packet processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory exhaustion condition. An attacker could exploit this vulnerability by sending a high rate of crafted TCP traffic through an affected device. A successful exploit could allow the attacker to exhaust device resources, resulting in a DoS condition for traffic transiting the affected device.
{
"affected": [],
"aliases": [
"CVE-2020-3554"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-21T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the TCP packet processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory exhaustion condition. An attacker could exploit this vulnerability by sending a high rate of crafted TCP traffic through an affected device. A successful exploit could allow the attacker to exhaust device resources, resulting in a DoS condition for traffic transiting the affected device.",
"id": "GHSA-wjh7-w5fx-rq52",
"modified": "2023-08-16T18:30:19Z",
"published": "2022-05-24T17:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3554"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-dos-QFcNEPfx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJJC-M3FC-FCM8
Vulnerability from github – Published: 2022-05-17 05:52 – Updated: 2024-11-26 18:40The password_checker function in config/multiconfig.py in MoinMoin prior to version 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service (segmentation fault and crash) via unknown vectors.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "moin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2008-6549"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-09T19:33:55Z",
"nvd_published_at": "2009-03-30T01:30:00Z",
"severity": "HIGH"
},
"details": "The password_checker function in `config/multiconfig.py` in MoinMoin prior to version 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service (segmentation fault and crash) via unknown vectors.",
"id": "GHSA-wjjc-m3fc-fcm8",
"modified": "2024-11-26T18:40:12Z",
"published": "2022-05-17T05:52:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6549"
},
{
"type": "PACKAGE",
"url": "https://github.com/moinwiki/moin"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2009-12.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20080410051007/http://moinmo.in/SecurityFixes"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20211206185024/http://hg.moinmo.in/moin/1.6/rev/35ff7a9b1546"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MoinMoin Denial of Service vulnerability via password_checker function"
}
GHSA-WJJX-5Q7V-M436
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).
{
"affected": [],
"aliases": [
"CVE-2026-46866"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T10:54:04Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).",
"id": "GHSA-wjjx-5q7v-m436",
"modified": "2026-06-17T18:35:33Z",
"published": "2026-06-17T18:35:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46866"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cspujun2026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJM3-FQ3R-5X46
Vulnerability from github – Published: 2021-05-18 21:07 – Updated: 2024-05-20 21:31GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/tidwall/gjson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36066"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T21:00:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "GJSON \u003c1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.",
"id": "GHSA-wjm3-fq3r-5x46",
"modified": "2024-05-20T21:31:34Z",
"published": "2021-05-18T21:07:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36066"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/195"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/195#issuecomment-755303148"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc"
},
{
"type": "PACKAGE",
"url": "https://github.com/tidwall/gjson"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "github.com/tidwall/gjson is vulnerable to Denial of service"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.