CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5404 vulnerabilities reference this CWE, most recent first.
GHSA-XGP9-53FC-Q25J
Vulnerability from github – Published: 2023-06-26 12:30 – Updated: 2023-06-26 12:30Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
{
"affected": [],
"aliases": [
"CVE-2023-3398"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-26T11:15:09Z",
"severity": "MODERATE"
},
"details": "Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.",
"id": "GHSA-xgp9-53fc-q25j",
"modified": "2023-06-26T12:30:22Z",
"published": "2023-06-26T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3398"
},
{
"type": "WEB",
"url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XGPG-W5R9-97QH
Vulnerability from github – Published: 2025-10-20 18:30 – Updated: 2025-10-20 18:30An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The absence of a NULL check leads to a Denial of Service when an attacker sends malformed MM packets to the target.
{
"affected": [],
"aliases": [
"CVE-2024-55568"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-20T16:15:36Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The absence of a NULL check leads to a Denial of Service when an attacker sends malformed MM packets to the target.",
"id": "GHSA-xgpg-w5r9-97qh",
"modified": "2025-10-20T18:30:32Z",
"published": "2025-10-20T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55568"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-55568"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGR5-38F7-XQVV
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2024-03-27 15:30libcurl provides the CURLOPT_CERTINFO option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
{
"affected": [],
"aliases": [
"CVE-2022-27781"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "HIGH"
},
"details": "libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server\u0027s certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.",
"id": "GHSA-xgr5-38f7-xqvv",
"modified": "2024-03-27T15:30:35Z",
"published": "2022-06-03T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1555441"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202212-01"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220609-0009"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5197"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGWC-RMQJ-WXQR
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections. Releases 10.1.x and 10.5.x are affected.
{
"affected": [],
"aliases": [
"CVE-2019-1672"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-08T18:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections. Releases 10.1.x and 10.5.x are affected.",
"id": "GHSA-xgwc-rmqj-wxqr",
"modified": "2022-05-13T01:31:27Z",
"published": "2022-05-13T01:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1672"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-wsa-bypass"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106904"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XGXR-3384-47XM
Vulnerability from github – Published: 2023-06-15 21:30 – Updated: 2024-04-04 04:53A memory leak in the EFR32 Bluetooth LE stack 5.1.0 through 5.1.1 allows an attacker to send an invalid pairing message and cause future legitimate connection attempts to fail. A reset of the device immediately clears the error.
{
"affected": [],
"aliases": [
"CVE-2023-2683"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-15T20:15:09Z",
"severity": "MODERATE"
},
"details": "\nA memory leak in the EFR32 Bluetooth LE stack 5.1.0 through 5.1.1 allows an attacker to send an invalid pairing message and cause future legitimate connection attempts to fail. A reset of the device immediately clears the error.\n\n",
"id": "GHSA-xgxr-3384-47xm",
"modified": "2024-04-04T04:53:07Z",
"published": "2023-06-15T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2683"
},
{
"type": "WEB",
"url": "https://github.com/SiliconLabs"
},
{
"type": "WEB",
"url": "https://https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000U2U1QQAV?operationContext=S1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH2H-CW6H-X9H5
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-02-27 21:31Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.
{
"affected": [],
"aliases": [
"CVE-2019-11478"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-19T00:15:00Z",
"severity": "HIGH"
},
"details": "Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.",
"id": "GHSA-xh2h-cw6h-x9h5",
"modified": "2024-02-27T21:31:22Z",
"published": "2022-05-24T16:48:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11478"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-253-03"
},
{
"type": "WEB",
"url": "https://www.synology.com/security/advisory/Synology_SA_19_28"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/905115"
},
{
"type": "WEB",
"url": "https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K26618426"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190625-0001"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Jul/30"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0007"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10287"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193"
},
{
"type": "WEB",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/vulnerabilities/tcpsack"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1699"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1602"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1594"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154408/Kernel-Live-Patch-Security-Notice-LSN-0055-1.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html"
},
{
"type": "WEB",
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/06/28/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/10/24/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/10/29/3"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0010.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH5M-8QQP-C5X7
Vulnerability from github – Published: 2023-10-10 21:23 – Updated: 2024-06-03 18:35Impact
The MsQuic server application or process will crash, resulting in a denial of service.
Patches
The following patch was made:
- Don't Allow Version Negotiation Packets for Server Connections - https://github.com/microsoft/msquic/commit/3226cff07d22662f16fc98d605656860e64cd343
Workarounds
Beyond upgrading to the patched versions, there is no other workaround. You must upgrade or disable MsQuic functionality.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Native.Quic.MsQuic.Schannel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Native.Quic.MsQuic.OpenSSL"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38171"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-10T21:23:27Z",
"nvd_published_at": "2023-10-10T18:15:18Z",
"severity": "HIGH"
},
"details": "### Impact\nThe MsQuic server application or process will crash, resulting in a denial of service.\n\n### Patches\nThe following patch was made:\n\n- Don\u0027t Allow Version Negotiation Packets for Server Connections - https://github.com/microsoft/msquic/commit/3226cff07d22662f16fc98d605656860e64cd343\n\n### Workarounds\nBeyond upgrading to the patched versions, there is no other workaround. You must upgrade or disable MsQuic functionality.\n",
"id": "GHSA-xh5m-8qqp-c5x7",
"modified": "2024-06-03T18:35:09Z",
"published": "2023-10-10T21:23:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/microsoft/msquic/security/advisories/GHSA-xh5m-8qqp-c5x7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38171"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/msquic/commit/3226cff07d22662f16fc98d605656860e64cd343"
},
{
"type": "PACKAGE",
"url": "https://github.com/microsoft/msquic"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Remote Denial of Service Vulnerability in Microsoft.Native.Quic.MsQuic.Schannel"
}
GHSA-XH5R-95XW-9RQ3
Vulnerability from github – Published: 2025-12-08 18:30 – Updated: 2025-12-08 21:30In multiple functions of NotificationManagerService.java, there is a possible way to bypass the per-package channel limits causing resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-48584"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-08T17:16:15Z",
"severity": "MODERATE"
},
"details": "In multiple functions of NotificationManagerService.java, there is a possible way to bypass the per-package channel limits causing resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-xh5r-95xw-9rq3",
"modified": "2025-12-08T21:30:20Z",
"published": "2025-12-08T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48584"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/08a0766708db2071d9b8b65abf40d7e8057daaa1"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH69-987W-HRP8
Vulnerability from github – Published: 2025-07-15 14:37 – Updated: 2025-07-15 22:56A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby.
Details
The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
Affected Version
The vulnerability affects the resolv gem bundled with the following Ruby series: * Ruby 3.2 series: resolv version 0.2.2 and earlier * Ruby 3.3 series: resolv version 0.3.0 * Ruby 3.4 series: resolv version 0.6.1 and earlier
Credits
Thanks to Manu for discovering this issue.
History
Originally published at 2025-07-08 07:00:00 (UTC)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "resolv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "resolv"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "0.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "resolv"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24294"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-15T14:37:08Z",
"nvd_published_at": "2025-07-12T04:15:46Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby.\n\n## Details\nThe vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.\n\nAn attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting\nlength of the name.\n\nThis resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.\n\n## Affected Version\nThe vulnerability affects the resolv gem bundled with the following Ruby series:\n* Ruby 3.2 series: resolv version 0.2.2 and earlier\n* Ruby 3.3 series: resolv version 0.3.0\n* Ruby 3.4 series: resolv version 0.6.1 and earlier\n\n## Credits\nThanks to Manu for discovering this issue.\n\n## History\nOriginally published at 2025-07-08 07:00:00 (UTC)",
"id": "GHSA-xh69-987w-hrp8",
"modified": "2025-07-15T22:56:19Z",
"published": "2025-07-15T14:37:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24294"
},
{
"type": "WEB",
"url": "https://github.com/ruby/resolv/commit/4c2f71b5e80826506f78417d85b38481c058fb25"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/resolv"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resolv/CVE-2025-24294.yml"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "resolv vulnerable to DoS via insufficient DNS domain name length validation"
}
GHSA-XH69-9JX5-XGPH
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-11 18:31Windows Active Directory Domain Services API Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-21351"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T18:15:34Z",
"severity": "HIGH"
},
"details": "Windows Active Directory Domain Services API Denial of Service Vulnerability",
"id": "GHSA-xh69-9jx5-xgph",
"modified": "2025-02-11T18:31:38Z",
"published": "2025-02-11T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21351"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.