CWE-406
Allowed-with-ReviewInsufficient Control of Network Message Volume (Network Amplification)
Abstraction: Class · Status: Incomplete
The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.
29 vulnerabilities reference this CWE, most recent first.
GHSA-GPXV-776P-7GC7
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-12-16 22:56Jenkins 2.218 and earlier, LTS 2.204.1 and earlier supports two network discovery services (UDP multicast/broadcast and DNS multicast) by default.
The UDP multicast/broadcast service can be used in an amplification reflection attack, as very few bytes sent to the respective endpoint result in much larger responses: A single byte request to this service would respond with more than 100 bytes of Jenkins metadata which could be used in a DDoS attack on a Jenkins controller. Within the same network, spoofed UDP packets could also be sent to make two Jenkins controllers go into an infinite loop of replies to one another, thus causing a denial of service.
Jenkins 2.219, LTS 2.204.2 now disables both UDP multicast/broadcast and DNS multicast by default.
Administrators that need these features can re-enable them again by setting the system property hudson.DNSMultiCast.disabled to false (for DNS multicast) or the system property hudson.udp to 33848, or another port (for UDP broadcast/multicast). These are the same system properties that controlled whether these features were enabled in the past, so any instances explicitly enabling these features by setting these system properties will continue to have them enabled.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.204.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.205"
},
{
"fixed": "2.219"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2100"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-16T22:56:41Z",
"nvd_published_at": "2020-01-29T16:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins 2.218 and earlier, LTS 2.204.1 and earlier supports two network discovery services (UDP multicast/broadcast and DNS multicast) by default.\n\nThe UDP multicast/broadcast service can be used in an amplification reflection attack, as very few bytes sent to the respective endpoint result in much larger responses: A single byte request to this service would respond with more than 100 bytes of Jenkins metadata which could be used in a DDoS attack on a Jenkins controller. Within the same network, spoofed UDP packets could also be sent to make two Jenkins controllers go into an infinite loop of replies to one another, thus causing a denial of service.\n\nJenkins 2.219, LTS 2.204.2 now disables both UDP multicast/broadcast and DNS multicast by default.\n\nAdministrators that need these features can re-enable them again by setting the system property `hudson.DNSMultiCast.disabled` to `false` (for DNS multicast) or the system property `hudson.udp` to `33848`, or another port (for UDP broadcast/multicast). These are the same system properties that controlled whether these features were enabled in the past, so any instances explicitly enabling these features by setting these system properties will continue to have them enabled.",
"id": "GHSA-gpxv-776p-7gc7",
"modified": "2022-12-16T22:56:41Z",
"published": "2022-05-24T17:07:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2100"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/cd28a6d9347228b03da0e45653e23032342c2a36"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2020:0402"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2020:0675"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0681"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0683"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1641"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/01/29/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Jenkins vulnerable to UDP amplification reflection attack"
}
GHSA-H656-5VCF-CM23
Vulnerability from github – Published: 2026-03-03 19:08 – Updated: 2026-03-03 19:08Impact
In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version currently affected:
2026.2.23 - Vulnerable range:
<= 2026.2.23 - Patched in planned next release:
2026.2.24
Fix Commit(s)
9514201fb9b51de5d0b23151110d0ff5d9c8bd67
Technical Details
The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path.
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits.
OpenClaw thanks @v8hid for reporting.
Publication Update (2026-02-25)
openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.23"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-208",
"CWE-404",
"CWE-406",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T19:08:30Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Impact\n\nIn Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published version currently affected: `2026.2.23`\n- Vulnerable range: `\u003c= 2026.2.23`\n- Patched in planned next release: `2026.2.24`\n\n## Fix Commit(s)\n\n- `9514201fb9b51de5d0b23151110d0ff5d9c8bd67`\n\n## Technical Details\n\nThe Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path.\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.24`). After npm publish, the advisory can be published without further version-field edits.\n\nOpenClaw thanks @v8hid for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
"id": "GHSA-h656-5vcf-cm23",
"modified": "2026-03-03T19:08:30Z",
"published": "2026-03-03T19:08:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9514201fb9b51de5d0b23151110d0ff5d9c8bd67"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check"
}
GHSA-J552-F62V-MC74
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.
{
"affected": [],
"aliases": [
"CVE-2019-14850"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-18T19:15:00Z",
"severity": "LOW"
},
"details": "A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.",
"id": "GHSA-j552-f62v-mc74",
"modified": "2022-05-24T17:44:46Z",
"published": "2022-05-24T17:44:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14850"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1757258"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MH6W-9W29-7XPH
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32Possible External Service Interaction attack
in iManager has been discovered in OpenText™ iManager 3.2.6.0000.
{
"affected": [],
"aliases": [
"CVE-2021-38135"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T16:15:19Z",
"severity": "HIGH"
},
"details": "Possible \nExternal Service Interaction attack\n\nin iManager has been discovered in\nOpenText\u2122 iManager 3.2.6.0000.",
"id": "GHSA-mh6w-9w29-7xph",
"modified": "2024-11-22T21:32:14Z",
"published": "2024-11-22T21:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38135"
},
{
"type": "WEB",
"url": "https://www.netiq.com/documentation/imanager-32/imanager326_releasenotes/data/imanager326_releasenotes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PX83-PH6Q-F3RV
Vulnerability from github – Published: 2023-01-02 21:30 – Updated: 2023-01-09 21:30A vulnerability, which was classified as problematic, has been found in drybjed ansible-ntp. Affected by this issue is some unknown functionality of the file meta/main.yml. The manipulation leads to insufficient control of network message volume. The attack can only be done within the local network. The name of the patch is ed4ca2cf012677973c220cdba36b5c60bfa0260b. It is recommended to apply a patch to fix this issue. VDB-217190 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2014-125036"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-02T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, has been found in drybjed ansible-ntp. Affected by this issue is some unknown functionality of the file meta/main.yml. The manipulation leads to insufficient control of network message volume. The attack can only be done within the local network. The name of the patch is ed4ca2cf012677973c220cdba36b5c60bfa0260b. It is recommended to apply a patch to fix this issue. VDB-217190 is the identifier assigned to this vulnerability.",
"id": "GHSA-px83-ph6q-f3rv",
"modified": "2023-01-09T21:30:22Z",
"published": "2023-01-02T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125036"
},
{
"type": "WEB",
"url": "https://github.com/drybjed/ansible-ntp/commit/ed4ca2cf012677973c220cdba36b5c60bfa0260b"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217190"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217190"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QC32-XFVC-33FG
Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2024-09-18 21:30Technitium 11.5.3 allows remote attackers to cause a denial of service (bandwidth amplification) because the DNSBomb manipulation causes accumulation of low-rate DNS queries such that there is a large-sized response in a burst of traffic.
{
"affected": [],
"aliases": [
"CVE-2023-49203"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T15:15:14Z",
"severity": "HIGH"
},
"details": "Technitium 11.5.3 allows remote attackers to cause a denial of service (bandwidth amplification) because the DNSBomb manipulation causes accumulation of low-rate DNS queries such that there is a large-sized response in a burst of traffic.",
"id": "GHSA-qc32-xfvc-33fg",
"modified": "2024-09-18T21:30:48Z",
"published": "2024-09-18T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49203"
},
{
"type": "WEB",
"url": "https://gist.github.com/idealeer/89947ca07836fd0f7e9761198ca9a0f3."
},
{
"type": "WEB",
"url": "https://technitium.com/dns"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3J6-H9RM-9Q33
Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2025-10-22 00:32A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.
{
"affected": [],
"aliases": [
"CVE-2022-0028"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-10T16:15:00Z",
"severity": "HIGH"
},
"details": "A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.",
"id": "GHSA-r3j6-h9rm-9q33",
"modified": "2025-10-22T00:32:35Z",
"published": "2022-08-11T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0028"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2022-0028"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VHVR-HGG7-6XQJ
Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-14 00:03RTI Connext DDS Professional, Connext DDS Secure versions 4.2x to 6.1.0, and Connext DDS Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.
{
"affected": [],
"aliases": [
"CVE-2021-38487"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-05T17:15:00Z",
"severity": "CRITICAL"
},
"details": "RTI Connext DDS Professional, Connext DDS Secure versions 4.2x to 6.1.0, and Connext DDS Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.",
"id": "GHSA-vhvr-hgg7-6xqj",
"modified": "2022-05-14T00:03:34Z",
"published": "2022-05-06T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38487"
},
{
"type": "WEB",
"url": "https://support.rti.com/s/login/?ec=302\u0026startURL=%2Fs%2F"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGVJ-J87F-295M
Vulnerability from github – Published: 2024-05-01 18:30 – Updated: 2024-05-01 18:30IBM MQ 9.2 LTS, 9.3 LTS, and 9.3 CD Internet Pass-Thru could allow a remote user to cause a denial of service by sending HTTP requests that would consume all available resources. IBM X-Force ID: 281278.
{
"affected": [],
"aliases": [
"CVE-2024-25015"
],
"database_specific": {
"cwe_ids": [
"CWE-406"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T17:15:29Z",
"severity": "HIGH"
},
"details": "IBM MQ 9.2 LTS, 9.3 LTS, and 9.3 CD Internet Pass-Thru could allow a remote user to cause a denial of service by sending HTTP requests that would consume all available resources. IBM X-Force ID: 281278.",
"id": "GHSA-wgvj-j87f-295m",
"modified": "2024-05-01T18:30:41Z",
"published": "2024-05-01T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25015"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/281278"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7149583"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Separation of Privilege
An application must make network resources available to a client commensurate with the client's access level.
Mitigation
Define a clear policy for network resource allocation and consumption.
Mitigation
An application must, at all times, keep track of network resources and meter their usage appropriately.
No CAPEC attack patterns related to this CWE.