CWE-400
Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
CVE-2024-4437 (GCVE-0-2024-4437)
Vulnerability from cvelistv5 – Published: 2024-05-08 08:57 – Updated: 2025-11-20 07:30- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:3352 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:3467 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2024-4437 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2279361 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
|
Unaffected:
3.3.23
(semver)
|
|||
| Red Hat | Red Hat OpenStack Platform 16.1 |
Unaffected:
0:3.3.23-16.el8ost , < *
(rpm)
cpe:/a:redhat:openstack:16.1::el8 |
|
| Red Hat | Red Hat OpenStack Platform 16.2 |
Unaffected:
0:3.3.23-16.el8ost , < *
(rpm)
cpe:/a:redhat:openstack:16.2::el8 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 |
cpe:/a:redhat:openstack:17.1 |
|
| Red Hat | Red Hat OpenStack Platform 18.0 |
cpe:/a:redhat:openstack:18.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T14:42:13.008551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:55:01.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2024:3352",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3352"
},
{
"name": "RHSA-2024:3467",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3467"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-4437"
},
{
"name": "RHBZ#2279361",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279361"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/etcd-io/etcd",
"defaultStatus": "unknown",
"packageName": "etcd",
"versions": [
{
"status": "unaffected",
"version": "3.3.23",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.1::el8"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 16.1",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.23-16.el8ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2::el8"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.23-16.el8ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "unaffected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
}
],
"datePublic": "2024-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2021-44716. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T07:30:50.038Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:3352",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3352"
},
{
"name": "RHSA-2024:3467",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3467"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-4437"
},
{
"name": "RHBZ#2279361",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279361"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-06T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-05-06T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Etcd: incomplete fix for cve-2021-44716 in openstack platform",
"x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-4437",
"datePublished": "2024-05-08T08:57:40.229Z",
"dateReserved": "2024-05-02T16:28:46.529Z",
"dateUpdated": "2025-11-20T07:30:50.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4438 (GCVE-0-2024-4438)
Vulnerability from cvelistv5 – Published: 2024-05-08 08:59 – Updated: 2025-11-20 07:31- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:2729 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:3352 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:3467 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2024-4438 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2279365 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
|
Unaffected:
3.3.23
(semver)
|
|||
| Red Hat | Red Hat OpenStack Platform 16.1 |
Unaffected:
0:3.3.23-16.el8ost , < *
(rpm)
cpe:/a:redhat:openstack:16.1::el8 |
|
| Red Hat | Red Hat OpenStack Platform 16.2 |
Unaffected:
0:3.3.23-16.el8ost , < *
(rpm)
cpe:/a:redhat:openstack:16.2::el8 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 for RHEL 9 |
Unaffected:
0:3.4.26-8.el9ost , < *
(rpm)
cpe:/a:redhat:openstack:17.1::el9 |
|
| Red Hat | Red Hat OpenStack Platform 18.0 |
cpe:/a:redhat:openstack:18.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T15:51:24.572370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:33.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2024:2729",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2729"
},
{
"name": "RHSA-2024:3352",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3352"
},
{
"name": "RHSA-2024:3467",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3467"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-4438"
},
{
"name": "RHBZ#2279365",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279365"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/etcd-io/etcd",
"defaultStatus": "unknown",
"packageName": "etcd",
"versions": [
{
"status": "unaffected",
"version": "3.3.23",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.1::el8"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 16.1",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.23-16.el8ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2::el8"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.23-16.el8ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1::el9"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 17.1 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.4.26-8.el9ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
}
],
"datePublic": "2024-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T07:31:01.238Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:2729",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2729"
},
{
"name": "RHSA-2024:3352",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3352"
},
{
"name": "RHSA-2024:3467",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3467"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-4438"
},
{
"name": "RHBZ#2279365",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279365"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-06T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-05-06T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Etcd: incomplete fix for cve-2023-39325/cve-2023-44487 in openstack platform",
"x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-4438",
"datePublished": "2024-05-08T08:59:42.187Z",
"dateReserved": "2024-05-02T16:28:57.490Z",
"dateUpdated": "2025-11-20T07:31:01.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45420 (GCVE-0-2024-45420)
Vulnerability from cvelistv5 – Published: 2024-11-19 19:32 – Updated: 2024-11-20 15:16- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| Zoom Communications Inc. | Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers |
Affected:
see references
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:11:13.010896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:16:27.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux",
"iOS",
"Android"
],
"product": "Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers",
"vendor": "Zoom Communications Inc.",
"versions": [
{
"status": "affected",
"version": "see references"
}
]
}
],
"datePublic": "2024-11-12T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(247, 247, 248);\"\u003eUncontrolled resource consumption in some Zoom Apps before version 6.2.0 may allow an authenticated user to conduct a denial of service via network access.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Uncontrolled resource consumption in some Zoom Apps before version 6.2.0 may allow an authenticated user to conduct a denial of service via network access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T19:32:02.656Z",
"orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
"shortName": "Zoom"
},
"references": [
{
"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-24042"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Zoom Apps - Uncontrolled Resource Consumption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
"assignerShortName": "Zoom",
"cveId": "CVE-2024-45420",
"datePublished": "2024-11-19T19:32:02.656Z",
"dateReserved": "2024-08-28T21:50:25.332Z",
"dateUpdated": "2024-11-20T15:16:27.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4557 (GCVE-0-2024-4557)
Vulnerability from cvelistv5 – Published: 2024-06-26 23:31 – Updated: 2024-08-29 15:04- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/460517 | issue-trackingpermissions-required |
| https://hackerone.com/reports/2485172 | technical-descriptionexploitpermissions-required |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T17:26:22.371824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T17:26:27.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.409Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GitLab Issue #460517",
"tags": [
"issue-tracking",
"permissions-required",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/460517"
},
{
"name": "HackerOne Bug Bounty Report #2485172",
"tags": [
"technical-description",
"exploit",
"permissions-required",
"x_transferred"
],
"url": "https://hackerone.com/reports/2485172"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "16.11.5",
"status": "affected",
"version": "1.0",
"versionType": "semver"
},
{
"lessThan": "17.0.3",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "17.1.1",
"status": "affected",
"version": "17.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [joaxcar](https://hackerone.com) and [setiawan_](https://hackerone.com/setiawan_) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:04:58.095Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #460517",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/460517"
},
{
"name": "HackerOne Bug Bounty Report #2485172",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/2485172"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 17.1.1, 17.0.3, 16.11.5 or above."
}
],
"title": "Uncontrolled Resource Consumption in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2024-4557",
"datePublished": "2024-06-26T23:31:10.425Z",
"dateReserved": "2024-05-06T18:30:43.604Z",
"dateUpdated": "2024-08-29T15:04:58.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45626 (GCVE-0-2024-45626)
Vulnerability from cvelistv5 – Published: 2025-02-06 11:21 – Updated: 2025-02-12 19:51- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
3.8.0 , ≤ 3.8.1
(maven)
Affected: 0 , ≤ 3.7.5 (maven) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-06T12:04:25.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/05/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T13:59:06.290280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:10.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.8.1",
"status": "affected",
"version": "3.8.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.7.5",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benoit TELLIER"
},
{
"lang": "en",
"type": "finder",
"value": "Wojciech Kapcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."
}
],
"value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.\n\nUsers are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T11:21:12.417Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache James: denial of service through JMAP HTML to text conversion",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45626",
"datePublished": "2025-02-06T11:21:12.417Z",
"dateReserved": "2024-09-03T08:43:52.113Z",
"dateUpdated": "2025-02-12T19:51:10.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45736 (GCVE-0-2024-45736)
Vulnerability from cvelistv5 – Published: 2024-10-14 17:03 – Updated: 2025-02-28 11:03- CWE-400 - The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.3 , < 9.3.1
(custom)
Affected: 9.2 , < 9.2.3 (custom) Affected: 9.1 , < 9.1.6 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
9.2.2403 , < 9.2.2403.107
(custom)
Affected: 9.1.2312 , < 9.1.2312.204 (custom) Affected: 9.1.2312 , < 9.1.2312.111 (custom) |
|
| splunk | splunk_enterprise |
Affected:
9.3 , < 9.3.1
(custom)
Affected: 9.2 , < 9.2.3 (custom) Affected: 9.1 , < 9.1.6 (custom) cpe:2.3:a:splunk:splunk_enterprise:*:*:*:*:*:*:*:* |
|
| splunk | splunk_cloud_platform |
Affected:
9.2.2403 , < 9.2.2403.107
(custom)
Affected: 9.1.2312 , < 9.1.2312.204 (custom) Affected: 9.1.2312 , < 9.1.2312.111 (custom) cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:splunk:splunk_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "splunk_enterprise",
"vendor": "splunk",
"versions": [
{
"lessThan": "9.3.1",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.3",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.6",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "splunk_cloud_platform",
"vendor": "splunk",
"versions": [
{
"lessThan": "9.2.2403.107",
"status": "affected",
"version": "9.2.2403",
"versionType": "custom"
},
{
"lessThan": "9.1.2312.204",
"status": "affected",
"version": "9.1.2312",
"versionType": "custom"
},
{
"lessThan": "9.1.2312.111",
"status": "affected",
"version": "9.1.2312",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45736",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T16:36:03.459233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T16:40:23.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.1",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.3",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.6",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.2.2403.107",
"status": "affected",
"version": "9.2.2403",
"versionType": "custom"
},
{
"lessThan": "9.1.2312.204",
"status": "affected",
"version": "9.1.2312",
"versionType": "custom"
},
{
"lessThan": "9.1.2312.111",
"status": "affected",
"version": "9.1.2312",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo\u00a0Dmytriiev (DDV_UA)"
}
],
"datePublic": "2024-10-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a search query with an improperly formatted \"INGEST_EVAL\" parameter as part of a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) which could crash the Splunk daemon (splunkd)."
}
],
"value": "In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a search query with an improperly formatted \"INGEST_EVAL\" parameter as part of a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) which could crash the Splunk daemon (splunkd)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T11:03:54.861Z",
"orgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"shortName": "Splunk"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2024-1006"
},
{
"url": "https://research.splunk.com/application/08978eca-caff-44c1-84dc-53f17def4e14/"
}
],
"source": {
"advisory": "SVD-2024-1006"
},
"title": "Improperly Formatted \u2018INGEST_EVAL\u2019 Parameter Crashes Splunk Daemon"
}
},
"cveMetadata": {
"assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"assignerShortName": "Splunk",
"cveId": "CVE-2024-45736",
"datePublished": "2024-10-14T17:03:34.828Z",
"dateReserved": "2024-09-05T21:35:21.290Z",
"dateUpdated": "2025-02-28T11:03:54.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4599 (GCVE-0-2024-4599)
Vulnerability from cvelistv5 – Published: 2024-05-07 10:48 – Updated: 2024-08-01 20:47- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| LAN Messenger | LAN Messenger |
Affected:
3.4.0
|
|
| lan_messenger | lan_messenger |
Affected:
3.4.0
cpe:2.3:a:lan_messenger:lan_messenger:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lan_messenger:lan_messenger:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "lan_messenger",
"vendor": "lan_messenger",
"versions": [
{
"status": "affected",
"version": "3.4.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-07T14:50:13.155261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:15.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.238Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/denial-service-vulnerability-lan-messenger"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LAN Messenger",
"vendor": "LAN Messenger",
"versions": [
{
"status": "affected",
"version": "3.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafael Pedrero"
}
],
"datePublic": "2024-05-07T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Remote denial of service vulnerability in LAN Messenger affecting version 3.4.0. This vulnerability allows an attacker to crash the LAN Messenger service by sending a long string directly and continuously over the UDP protocol."
}
],
"value": "Remote denial of service vulnerability in LAN Messenger affecting version 3.4.0. This vulnerability allows an attacker to crash the LAN Messenger service by sending a long string directly and continuously over the UDP protocol."
}
],
"impacts": [
{
"capecId": "CAPEC-147",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-147 XML Ping of the Death"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-07T10:48:39.295Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/denial-service-vulnerability-lan-messenger"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is no reported solution at this time."
}
],
"value": "There is no reported solution at this time."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Denial of service vulnerability in LAN Messenger",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-4599",
"datePublished": "2024-05-07T10:48:39.295Z",
"dateReserved": "2024-05-07T07:49:48.173Z",
"dateUpdated": "2024-08-01T20:47:41.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46891 (GCVE-0-2024-46891)
Vulnerability from cvelistv5 – Published: 2024-11-12 12:49 – Updated: 2024-11-12 14:25{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:seimens:sinec_ins:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sinec_ins",
"vendor": "seimens",
"versions": [
{
"lessThan": "V1.0_SP2_Update 3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:22:45.870908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:25:48.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SINEC INS",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V1.0 SP2 Update 3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SINEC INS (All versions \u003c V1.0 SP2 Update 3). The affected application does not properly restrict the size of generated log files. This could allow an unauthenticated remote attacker to trigger a large amount of logged events to exhaust the system\u0027s resources and create a denial of service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T12:49:43.155Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-46891",
"datePublished": "2024-11-12T12:49:43.155Z",
"dateReserved": "2024-09-12T11:24:19.243Z",
"dateUpdated": "2024-11-12T14:25:48.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47003 (GCVE-0-2024-47003)
Vulnerability from cvelistv5 – Published: 2024-09-26 08:05 – Updated: 2024-09-26 13:11- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
9.11.0
Affected: 9.5.0 , ≤ 9.5.8 (semver) Unaffected: 10.0.0 Unaffected: 9.11.1 Unaffected: 9.5.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:10:27.555291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:11:00.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.11.0"
},
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.11.1"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.0 and 9.5.x \u0026lt;= 9.5.8 fail to validate that the message of the permalink post is a string,\u0026nbsp;which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.11.x \u003c= 9.11.0 and 9.5.x \u003c= 9.5.8 fail to validate that the message of the permalink post is a string,\u00a0which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:05:16.392Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.11.1, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.11.1, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00373",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59077"
],
"discovery": "EXTERNAL"
},
"title": "DoS via non-string message using permalink embed",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-47003",
"datePublished": "2024-09-26T08:05:16.392Z",
"dateReserved": "2024-09-23T07:55:36.376Z",
"dateUpdated": "2024-09-26T13:11:00.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47239 (GCVE-0-2024-47239)
Vulnerability from cvelistv5 – Published: 2025-01-08 02:00 – Updated: 2025-01-08 15:33- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00026959… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerScale OneFS |
Affected:
8.2.2.x , ≤ 9.7.1.2
(semver)
Affected: 9.4.0.0 , ≤ 9.4.0.19 (semver) Affected: 9.5.0.0 , ≤ 9.5.1.1 (semver) Affected: 9.8.0.0 , ≤ 9.9.0.0 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T15:33:28.596400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T15:33:59.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerScale OneFS",
"vendor": "Dell",
"versions": [
{
"lessThanOrEqual": "9.7.1.2",
"status": "affected",
"version": "8.2.2.x",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.0.19",
"status": "affected",
"version": "9.4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.1.1",
"status": "affected",
"version": "9.5.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.9.0.0",
"status": "affected",
"version": "9.8.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-01-06T18:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell PowerScale OneFS versions 8.2.2.x through 9.9.0.0 contain an uncontrolled resource consumption vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to denial of service."
}
],
"value": "Dell PowerScale OneFS versions 8.2.2.x through 9.9.0.0 contain an uncontrolled resource consumption vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T02:00:15.883Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000269590/dsa-2024-480-security-update-for-dell-powerscale-onefs-security-vulnerability"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2024-47239",
"datePublished": "2025-01-08T02:00:15.883Z",
"dateReserved": "2024-09-23T05:36:07.683Z",
"dateUpdated": "2025-01-08T15:33:59.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
Phase: Architecture and Design
Description:
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that protocols have specific limits of scale placed on them.
Mitigation
Phase: Implementation
Description:
- Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.