CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5401 vulnerabilities reference this CWE, most recent first.
GHSA-XWGF-RG8J-2J5X
Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2021-12-09 00:01A unauthenticated denial of service vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 when configured as a VPN (Gateway) or AAA virtual server could allow an attacker to cause a temporary disruption of the Management GUI, Nitro API, and RPC communication.
{
"affected": [],
"aliases": [
"CVE-2021-22955"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T14:15:00Z",
"severity": "HIGH"
},
"details": "A unauthenticated denial of service vulnerability exists in Citrix ADC \u003c13.0-83.27, \u003c12.1-63.22 and 11.1-65.23 when configured as a VPN (Gateway) or AAA virtual server could allow an attacker to cause a temporary disruption of the Management GUI, Nitro API, and RPC communication.",
"id": "GHSA-xwgf-rg8j-2j5x",
"modified": "2021-12-09T00:01:47Z",
"published": "2021-12-08T00:01:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22955"
},
{
"type": "WEB",
"url": "https://support.citrix.com/article/CTX330728"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XWW6-9QVQ-R7PR
Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35A vulnerability in management interface access control list (ACL) configuration of Cisco NX-OS System Software could allow an unauthenticated, remote attacker to bypass configured ACLs on the management interface. This could allow traffic to be forwarded to the NX-OS CPU for processing, leading to high CPU utilization and a denial of service (DoS) condition. The vulnerability is due to a bad code fix in the 7.3.2 code train that could allow traffic to the management interface to be misclassified and not match the proper configured ACLs. An attacker could exploit this vulnerability by sending crafted traffic to the management interface. An exploit could allow the attacker to bypass the configured management interface ACLs and impact the CPU of the targeted device, resulting in a DoS condition. This vulnerability affects the following Cisco products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 2000 Series Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode. Cisco Bug IDs: CSCvf31132.
{
"affected": [],
"aliases": [
"CVE-2018-0090"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-18T06:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in management interface access control list (ACL) configuration of Cisco NX-OS System Software could allow an unauthenticated, remote attacker to bypass configured ACLs on the management interface. This could allow traffic to be forwarded to the NX-OS CPU for processing, leading to high CPU utilization and a denial of service (DoS) condition. The vulnerability is due to a bad code fix in the 7.3.2 code train that could allow traffic to the management interface to be misclassified and not match the proper configured ACLs. An attacker could exploit this vulnerability by sending crafted traffic to the management interface. An exploit could allow the attacker to bypass the configured management interface ACLs and impact the CPU of the targeted device, resulting in a DoS condition. This vulnerability affects the following Cisco products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 2000 Series Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode. Cisco Bug IDs: CSCvf31132.",
"id": "GHSA-xww6-9qvq-r7pr",
"modified": "2022-05-13T01:35:51Z",
"published": "2022-05-13T01:35:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0090"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102753"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040247"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWW7-7GCC-RP5W
Vulnerability from github – Published: 2026-07-01 18:31 – Updated: 2026-07-01 18:31Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.
{
"affected": [],
"aliases": [
"CVE-2026-49090"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T18:16:33Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.",
"id": "GHSA-xww7-7gcc-rp5w",
"modified": "2026-07-01T18:31:56Z",
"published": "2026-07-01T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49090"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elasticsearch-7-17-24-8-15-0-security-update-esa-2026-52"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWXC-RH9R-2448
Vulnerability from github – Published: 2022-02-11 00:01 – Updated: 2026-05-27 18:31Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
{
"affected": [],
"aliases": [
"CVE-2022-21293"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-19T12:15:00Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).",
"id": "GHSA-xwxc-rh9r-2448",
"modified": "2026-05-27T18:31:33Z",
"published": "2022-02-11T00:01:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21293"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-05"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220121-0007"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5057"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5058"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XX3G-V5FX-V7W6
Vulnerability from github – Published: 2024-01-16 09:30 – Updated: 2025-06-20 21:31launchAnyWhere vulnerability in the ActivityManagerService module. Successful exploitation of this vulnerability will affect availability.
{
"affected": [],
"aliases": [
"CVE-2023-52113"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-16T08:15:09Z",
"severity": "HIGH"
},
"details": "launchAnyWhere vulnerability in the ActivityManagerService module. Successful exploitation of this vulnerability will affect availability.",
"id": "GHSA-xx3g-v5fx-v7w6",
"modified": "2025-06-20T21:31:39Z",
"published": "2024-01-16T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52113"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/1"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202401-0000001799925977"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX78-W68C-HGFG
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-13 00:01A remote denial of service (DoS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-29152"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-08T16:15:00Z",
"severity": "MODERATE"
},
"details": "A remote denial of service (DoS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.",
"id": "GHSA-xx78-w68c-hgfg",
"modified": "2022-07-13T00:01:16Z",
"published": "2022-05-24T19:07:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29152"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-012.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX9G-FH25-4Q64
Vulnerability from github – Published: 2026-02-06 19:53 – Updated: 2026-02-07 00:33Summary
A Denial of Service (DoS) vulnerability (CWE-400) exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination.
This issue affects applications that accept multipart/form-data uploads using affected versions of @adonisjs/bodyparser.
Details
AdonisJS parses multipart/form-data requests using the BodyParser package. During file uploads, the multipart parser attempts to detect the uploaded file type by accumulating incoming chunks in an internal buffer to perform magic number detection.
The internal buffer used for this detection does not enforce a maximum size and is not protected by a timeout or early termination condition. If the uploaded data does not match any supported file signatures, the buffer continues to grow as more chunks are received.
When certain configurations are used, such as deferred validations or permissive file size limits, this buffering behavior may persist for the duration of the upload stream.
Impact
Exploitation requires a reachable endpoint that accepts multipart file uploads.
An attacker can send a specially crafted multipart request containing a large or unbounded stream of data that does not match known file signatures. This may cause the server to continuously allocate memory until the Node.js process exhausts available RAM and terminates due to an out-of-memory condition.
This results in a Denial of Service, making the application unavailable to legitimate users. Authentication is not required if the upload endpoint is publicly accessible.
Patches
Fixes targeting v6 and v7 have been published below.
Users should upgrade to a version that includes the following fix: - https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 - https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.2"
},
"package": {
"ecosystem": "npm",
"name": "@adonisjs/bodyparser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.0-next.8"
},
"package": {
"ecosystem": "npm",
"name": "@adonisjs/bodyparser"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-next.0"
},
{
"fixed": "11.0.0-next.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25762"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:53:55Z",
"nvd_published_at": "2026-02-06T23:15:54Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA Denial of Service (DoS) vulnerability (CWE-400) exists in the multipart file handling logic of `@adonisjs/bodyparser`. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination.\n\nThis issue affects applications that accept `multipart/form-data` uploads using affected versions of `@adonisjs/bodyparser`.\n\n### Details\n\nAdonisJS parses `multipart/form-data` requests using the BodyParser package. During file uploads, the multipart parser attempts to detect the uploaded file type by accumulating incoming chunks in an internal buffer to perform magic number detection.\n\nThe internal buffer used for this detection does not enforce a maximum size and is not protected by a timeout or early termination condition. If the uploaded data does not match any supported file signatures, the buffer continues to grow as more chunks are received.\n\nWhen certain configurations are used, such as deferred validations or permissive file size limits, this buffering behavior may persist for the duration of the upload stream.\n\n### Impact\n\nExploitation requires a reachable endpoint that accepts multipart file uploads.\n\nAn attacker can send a specially crafted multipart request containing a large or unbounded stream of data that does not match known file signatures. This may cause the server to continuously allocate memory until the Node.js process exhausts available RAM and terminates due to an out-of-memory condition.\n\nThis results in a Denial of Service, making the application unavailable to legitimate users. Authentication is not required if the upload endpoint is publicly accessible.\n\n### Patches\n\nFixes targeting v6 and v7 have been published below.\n\nUsers should upgrade to a version that includes the following fix:\n- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3\n- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9",
"id": "GHSA-xx9g-fh25-4q64",
"modified": "2026-02-07T00:33:34Z",
"published": "2026-02-06T19:53:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/adonisjs/core/security/advisories/GHSA-xx9g-fh25-4q64"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25762"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9"
},
{
"type": "PACKAGE",
"url": "https://github.com/adonisjs/core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection"
}
GHSA-XXH7-FCF3-RJ7F
Vulnerability from github – Published: 2026-03-05 21:27 – Updated: 2026-03-05 21:27Description (as reported)
There is a memory leak when using GzipHandler in jetty-12.0.30 that can cause off-heap OOMs. This can be used for DoS attacks so I'm reporting this as a vulnerability.
The leak is created by requests where the request is inflated (Content-Encoding: gzip) and the response is not deflated (no Accept-Encoding: gzip). In these conditions, a new inflator will be created by GzipRequest and never released back into GzipRequest.__inflaterPool because gzipRequest.destory() is not called.
In heap dumps one can see thousands of java.util.zip.Inflator objects, which use both Java heaps and native memory. Leaking native memory causes of off-heap OOMs.
Code path in GzipHandler.handle():
1. Line 601: GzipRequest is created when request inflation is needed.
2. Lines 611-616: The callback is only wrapped in GzipResponseAndCallback when both inflation and deflation are needed.
3. Lines 619-625: If the handler accepts the request (returns true), gzipRequest.destroy() is only called in the "request not accepted" path (returns false)
When deflation is needed, GzipResponseAndCallback (lines 102 and 116) properly calls gzipRequest.destroy() in its succeeded() and failed() methods. But this wrapper is only created when deflation is needed.
Possible fix:
The callback should be wrapped whenever a GzipRequest is created, not just when deflation is needed. This ensures gzipRequest.destroy() is always called when the request completes.
Impact
The leak causes the JVM to crash with OOME.
Patches
No patches yet.
Workarounds
Disable GzipHandler.
References
https://github.com/jetty/jetty.project/issues/14260
https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.1.5"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "12.1.0"
},
{
"fixed": "12.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.0.31"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.0.32"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1605"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-401"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-05T21:27:59Z",
"nvd_published_at": "2026-03-05T10:15:56Z",
"severity": "HIGH"
},
"details": "### Description (as reported)\n\nThere is a memory leak when using `GzipHandler` in jetty-12.0.30 that can cause off-heap OOMs. This can be used for DoS attacks so I\u0027m reporting this as a vulnerability.\n\nThe leak is created by requests where the request is inflated (`Content-Encoding: gzip`) and the response is not deflated (no `Accept-Encoding: gzip`). In these conditions, a new inflator will be created by `GzipRequest` and never released back into `GzipRequest.__inflaterPool` because `gzipRequest.destory()` is not called.\n\nIn heap dumps one can see thousands of `java.util.zip.Inflator` objects, which use both Java heaps and native memory. Leaking native memory causes of off-heap OOMs.\n\nCode path in `GzipHandler.handle()`:\n1. Line 601: `GzipRequest` is created when request inflation is needed.\n2. Lines 611-616: The callback is only wrapped in `GzipResponseAndCallback` when both inflation and deflation are needed.\n3. Lines 619-625: If the handler accepts the request (returns true), `gzipRequest.destroy()` is only called in the \"request not accepted\" path (returns false)\n\nWhen deflation is needed, `GzipResponseAndCallback` (lines 102 and 116) properly calls `gzipRequest.destroy()` in its `succeeded()` and `failed()` methods. But this wrapper is only created when deflation is needed.\n\nPossible fix:\nThe callback should be wrapped whenever a `GzipRequest` is created, not just when deflation is needed. This ensures `gzipRequest.destroy()` is always called when the request completes.\n\n\n### Impact\nThe leak causes the JVM to crash with OOME.\n\n### Patches\nNo patches yet.\n\n### Workarounds\nDisable `GzipHandler`.\n\n### References\nhttps://github.com/jetty/jetty.project/issues/14260\n\nhttps://gitlab.eclipse.org/security/cve-assignment/-/issues/79",
"id": "GHSA-xxh7-fcf3-rj7f",
"modified": "2026-03-05T21:27:59Z",
"published": "2026-03-05T21:27:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1605"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/issues/14260"
},
{
"type": "PACKAGE",
"url": "https://github.com/jetty/jetty.project"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/79"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "The Eclipse Jetty Server Artifact has a Gzip request memory leak "
}
GHSA-XXJ3-55P6-XG3H
Vulnerability from github – Published: 2022-07-25 00:00 – Updated: 2023-03-01 20:32A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mxnet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24294"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-01T20:32:45Z",
"nvd_published_at": "2022-07-24T18:15:00Z",
"severity": "HIGH"
},
"details": "A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.",
"id": "GHSA-xxj3-55p6-xg3h",
"modified": "2023-03-01T20:32:45Z",
"published": "2022-07-25T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24294"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/mxnet"
},
{
"type": "WEB",
"url": "https://github.com/apache/mxnet/releases/tag/1.9.1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/07/24/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache MXNet vulnerable to potential denial-of-service by excessive resource consumption"
}
GHSA-XXQJ-X2PV-X5JJ
Vulnerability from github – Published: 2024-07-03 18:48 – Updated: 2024-07-05 18:34Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the "message" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application.
{
"affected": [],
"aliases": [
"CVE-2024-6427"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-03T12:15:03Z",
"severity": "HIGH"
},
"details": "Uncontrolled Resource Consumption vulnerability in MESbook\u00a020221021.03 version. An unauthenticated remote attacker can use the \"message\" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application.",
"id": "GHSA-xxqj-x2pv-x5jj",
"modified": "2024-07-05T18:34:17Z",
"published": "2024-07-03T18:48:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6427"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.