CWE-406
Allowed-with-ReviewInsufficient Control of Network Message Volume (Network Amplification)
Abstraction: Class · Status: Incomplete
The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.
29 vulnerabilities reference this CWE, most recent first.
CVE-2020-10772 (GCVE-0-2020-10772)
Vulnerability from cvelistv5 – Published: 2020-11-27 17:40 – Updated: 2024-08-04 11:14- CWE-406 - >CWE-400
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1846026 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:14:15.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1846026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unbound",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "unbound-1.6.6-5.el7_8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-406",
"description": "CWE-406-\u003eCWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-27T17:40:05.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1846026"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10772",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "unbound",
"version": {
"version_data": [
{
"version_value": "unbound-1.6.6-5.el7_8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-406-\u003eCWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1846026",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1846026"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10772",
"datePublished": "2020-11-27T17:40:05.000Z",
"dateReserved": "2020-03-20T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:14:15.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14850 (GCVE-0-2019-14850)
Vulnerability from cvelistv5 – Published: 2021-03-18 18:56 – Updated: 2024-08-05 00:26| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1757258 | x_refsource_MISC |
| https://www.redhat.com/archives/libguestfs/2019-S… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:39.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1757258"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nbdkit",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "nbdkit 1.12.7, nbdkit 1.14.1, nbdkit 1.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-406",
"description": "CWE-406",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-18T18:56:42.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1757258"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14850",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nbdkit",
"version": {
"version_data": [
{
"version_value": "nbdkit 1.12.7, nbdkit 1.14.1, nbdkit 1.15.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-406"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1757258",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1757258"
},
{
"name": "https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html",
"refsource": "MISC",
"url": "https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-14850",
"datePublished": "2021-03-18T18:56:42.000Z",
"dateReserved": "2019-08-10T00:00:00.000Z",
"dateUpdated": "2024-08-05T00:26:39.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-125036 (GCVE-0-2014-125036)
Vulnerability from cvelistv5 – Published: 2023-01-02 17:11 – Updated: 2024-08-06 14:10- CWE-406 - Insufficient Control of Network Message Volume
| URL | Tags |
|---|---|
| https://vuldb.com/?id.217190 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.217190 | signaturepermissions-required |
| https://github.com/drybjed/ansible-ntp/commit/ed4… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| drybjed | ansible-ntp |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:10:56.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.217190"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.217190"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/drybjed/ansible-ntp/commit/ed4ca2cf012677973c220cdba36b5c60bfa0260b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ansible-ntp",
"vendor": "drybjed",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in drybjed ansible-ntp. Affected by this issue is some unknown functionality of the file meta/main.yml. The manipulation leads to insufficient control of network message volume. The attack can only be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The patch is identified as ed4ca2cf012677973c220cdba36b5c60bfa0260b. It is recommended to apply a patch to fix this issue. VDB-217190 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in drybjed ansible-ntp entdeckt. Davon betroffen ist unbekannter Code der Datei meta/main.yml. Mittels Manipulieren mit unbekannten Daten kann eine insufficient control of network message volume-Schwachstelle ausgenutzt werden. Der Angriff kann im lokalen Netzwerk erfolgen. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Patch wird als ed4ca2cf012677973c220cdba36b5c60bfa0260b bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.4,
"vectorString": "AV:A/AC:H/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-406",
"description": "CWE-406 Insufficient Control of Network Message Volume",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T06:00:48.431Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.217190"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.217190"
},
{
"tags": [
"patch"
],
"url": "https://github.com/drybjed/ansible-ntp/commit/ed4ca2cf012677973c220cdba36b5c60bfa0260b"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-01-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-01-02T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-01-02T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-01-27T00:52:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "drybjed ansible-ntp main.yml amplification"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2014-125036",
"datePublished": "2023-01-02T17:11:40.787Z",
"dateReserved": "2023-01-02T17:10:42.489Z",
"dateUpdated": "2024-08-06T14:10:56.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-4855-Q42W-5VR4
Vulnerability from github – Published: 2025-08-29 20:07 – Updated: 2025-08-29 21:58Summary
A denial of service vulnerability was discovered in ntpd-rs where an attacker can induce a message storm between two NTP servers running ntpd-rs.
Details
Since ntpd-rs version 1.2.0, when configured as a server, incorrectly responded to all NTP messages sent to the server's port with a time reply, including to responses from other servers. As a consequence, a message with a spoofed IP address of another server could cause two servers running ntpd-rs to continually respond to each other, consuming significant amounts of resources.
Impact
Any time server running ntpd-rs with version between 1.2.0 and 1.6.1 inclusive which allows non-NTS traffic is affected. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible.
Workarounds
Should upgrading not be possible, the impact of the issue can be mitigated by: - Whitelisting access to only IP addresses of clients using the server, using the ignore filter method. - Blocking incoming non-request traffic on the NTP server port using a firewall. - Disabling public access to the vulnerable NTP server - Disabling the server functionality by removing any [server] sections from the configuration.
Acknowledgements
The ntpd-rs authors thank Eric Sesterhenn from X41 D-Sec GmbH for finding and reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "ntpd-rs"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58066"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-29T20:07:27Z",
"nvd_published_at": "2025-08-29T21:15:36Z",
"severity": "MODERATE"
},
"details": "# Summary\n\nA denial of service vulnerability was discovered in ntpd-rs where an attacker can induce a message storm between two NTP servers running ntpd-rs.\n\n# Details\n\nSince ntpd-rs version 1.2.0, when configured as a server, incorrectly responded to all NTP messages sent to the server\u0027s port with a time reply, including to responses from other servers. As a consequence, a message with a spoofed IP address of another server could cause two servers running ntpd-rs to continually respond to each other, consuming significant amounts of resources.\n\n# Impact\n\nAny time server running ntpd-rs with version between 1.2.0 and 1.6.1 inclusive which allows non-NTS traffic is affected. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible.\n\n# Workarounds\n\nShould upgrading not be possible, the impact of the issue can be mitigated by:\n - Whitelisting access to only IP addresses of clients using the server, using the ignore filter method.\n - Blocking incoming non-request traffic on the NTP server port using a firewall.\n - Disabling public access to the vulnerable NTP server\n - Disabling the server functionality by removing any [server] sections from the configuration.\n\n# Acknowledgements\n\nThe ntpd-rs authors thank Eric Sesterhenn from X41 D-Sec GmbH for finding and reporting this issue.",
"id": "GHSA-4855-q42w-5vr4",
"modified": "2025-08-29T21:58:17Z",
"published": "2025-08-29T20:07:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-4855-q42w-5vr4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58066"
},
{
"type": "WEB",
"url": "https://github.com/pendulum-project/ntpd-rs/commit/da37cf167736cbd4d7804b1ed7ceb572468298e0"
},
{
"type": "PACKAGE",
"url": "https://github.com/pendulum-project/ntpd-rs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "DoS Vulnerability in ntpd-rs"
}
GHSA-6MGP-6QQC-4G38
Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2024-09-18 21:30An issue was discovered in Technitium through 11.0.2. The forwarding mode enables attackers to create a query loop using Technitium resolvers, launching amplification attacks and causing potential DoS.
{
"affected": [],
"aliases": [
"CVE-2023-28455"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T15:15:14Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Technitium through 11.0.2. The forwarding mode enables attackers to create a query loop using Technitium resolvers, launching amplification attacks and causing potential DoS.",
"id": "GHSA-6mgp-6qqc-4g38",
"modified": "2024-09-18T21:30:48Z",
"published": "2024-09-18T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28455"
},
{
"type": "WEB",
"url": "https://gist.github.com/idealeer/89947ca07836fd0f7e9761198ca9a0f3"
},
{
"type": "WEB",
"url": "https://technitium.com/dns"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6P25-V7PX-GQPH
Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2024-09-18 21:30An issue was discovered in Technitium through 11.0.2. It enables attackers to launch amplification attacks (3 times more than other "golden model" software like BIND) and cause potential DoS.
{
"affected": [],
"aliases": [
"CVE-2023-28456"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T15:15:14Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Technitium through 11.0.2. It enables attackers to launch amplification attacks (3 times more than other \"golden model\" software like BIND) and cause potential DoS.",
"id": "GHSA-6p25-v7px-gqph",
"modified": "2024-09-18T21:30:48Z",
"published": "2024-09-18T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28456"
},
{
"type": "WEB",
"url": "https://gist.github.com/idealeer/89947ca07836fd0f7e9761198ca9a0f3"
},
{
"type": "WEB",
"url": "https://technitium.com/dns"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6X94-8G2R-QG72
Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-14 00:03eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure.
{
"affected": [],
"aliases": [
"CVE-2021-38425"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-05T17:15:00Z",
"severity": "CRITICAL"
},
"details": "eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure.",
"id": "GHSA-6x94-8g2r-qg72",
"modified": "2022-05-14T00:03:35Z",
"published": "2022-05-06T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38425"
},
{
"type": "WEB",
"url": "https://github.com/eProsima/Fast-DDS"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7HMV-4J2J-PP6F
Vulnerability from github – Published: 2026-04-06 22:54 – Updated: 2026-04-06 22:54Impact
The server handles ActorEventPacket to trigger consuming animations from vanilla clients when they eat food or drink potions.
This can be abused to make the server spam other clients, and to waste server CPU and memory. For every ActorEventPacket sent by the client, an animation event will be sent to every other player the attacker is visible to.
This is similar to various other vulnerabilities which were fixed in the network overhaul of PM4 (e.g. AnimatePacket and LevelSoundEventPacket), but somehow this one slipped through the net.
Patches
The problem was addressed in aeea1150a772a005b92bd418366f1b7cf1a91ab5 by changing the mechanism for consuming animations to be fully controlled by the server. ActorEventPacket from the client is now discarded.
Workarounds
A plugin could use DataPacketDecodeEvent to rate-limit ActorEventPacket to prevent the attack.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pocketmine/pocketmine-mp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.39.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T22:54:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThe server handles `ActorEventPacket` to trigger consuming animations from vanilla clients when they eat food or drink potions.\n\nThis can be abused to make the server spam other clients, and to waste server CPU and memory. For every `ActorEventPacket` sent by the client, an animation event will be sent to every other player the attacker is visible to.\n\nThis is similar to various other vulnerabilities which were fixed in the network overhaul of PM4 (e.g. `AnimatePacket` and `LevelSoundEventPacket`), but somehow this one slipped through the net.\n\n### Patches\nThe problem was addressed in aeea1150a772a005b92bd418366f1b7cf1a91ab5 by changing the mechanism for consuming animations to be fully controlled by the server. `ActorEventPacket` from the client is now discarded.\n\n### Workarounds\nA plugin could use `DataPacketDecodeEvent` to rate-limit `ActorEventPacket` to prevent the attack.",
"id": "GHSA-7hmv-4j2j-pp6f",
"modified": "2026-04-06T22:54:10Z",
"published": "2026-04-06T22:54:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-7hmv-4j2j-pp6f"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/commit/aeea1150a772a005b92bd418366f1b7cf1a91ab5"
},
{
"type": "PACKAGE",
"url": "https://github.com/pmmp/PocketMine-MP"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`"
}
GHSA-C6M8-CMM6-5QVG
Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-14 00:01TwinOaks Computing CoreDX DDS versions prior to 5.9.1 are susceptible to exploitation when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.
{
"affected": [],
"aliases": [
"CVE-2021-43547"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-05T17:15:00Z",
"severity": "HIGH"
},
"details": "TwinOaks Computing CoreDX DDS versions prior to 5.9.1 are susceptible to exploitation when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.",
"id": "GHSA-c6m8-cmm6-5qvg",
"modified": "2022-05-14T00:01:34Z",
"published": "2022-05-06T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43547"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
},
{
"type": "WEB",
"url": "http://www.twinoakscomputing.com/coredx/download"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GJCC-3VR8-G68X
Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-14 00:03OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition and information exposure.
{
"affected": [],
"aliases": [
"CVE-2021-38429"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-05T17:15:00Z",
"severity": "CRITICAL"
},
"details": "OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition and information exposure.",
"id": "GHSA-gjcc-3vr8-g68x",
"modified": "2022-05-14T00:03:35Z",
"published": "2022-05-06T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38429"
},
{
"type": "WEB",
"url": "https://opendds.org"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Separation of Privilege
An application must make network resources available to a client commensurate with the client's access level.
Mitigation
Define a clear policy for network resource allocation and consumption.
Mitigation
An application must, at all times, keep track of network resources and meter their usage appropriately.
No CAPEC attack patterns related to this CWE.