Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,099)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-20155 1Cisco 1Secure Firewall Management Center Nov 26, 2024 Nov 1, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in a logging API in Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause the device to become unresponsive or trigger an unexpected reload. This vulner...Show more A vulnerability in a logging API in Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause the device to become unresponsive or trigger an unexpected reload. This vulnerability could also allow an attacker with valid user credentials, but not Administrator privileges, to view a system log file that they would not normally have access to. This vulnerability is due to a lack of rate-limiting of requests that are sent to a specific API that is related to an FMC log. An attacker could exploit this vulnerability by sending a high rate of HTTP requests to the API. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to the FMC CPU spiking to 100 percent utilization or to the device reloading. CPU utilization would return to normal if the attack traffic was stopped before an unexpected reload was triggered.Show less
CVE-2023-5625 1Redhat 5Openshift Container Platform For Arm64 Openshift Container Platform For LinuxoneOpenshift Container Platform For Power+2 more Dec 6, 2024 Nov 1, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.
CVE-2023-46278 1Cybozu 1Cybozu Remote Service Nov 21, 2024 Nov 1, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Uncontrolled resource consumption vulnerability in Cybozu Remote Service 4.1.0 to 4.1.1 allows a remote authenticated attacker to consume huge storage space or cause significantly delayed communication.
CVE-2023-39610 1Tp Link 1Tapo C100 Firmware Nov 21, 2024 Oct 31, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue in TP-Link Tapo C100 v1.1.15 Build 211130 Rel.15378n(4555) and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted web request.
CVE-2023-45955 1Nanoleaf 1Lightstrip Firmware Nov 21, 2024 Oct 31, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue discovered in Nanoleaf Light strip v3.5.10 allows attackers to cause a denial of service via crafted write binding attribute commands.
CVE-2023-46361 1Artifex 1Jbig2dec Nov 21, 2024 Oct 31, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulnerability via jbig2_error at /jbig2dec/jbig2.c.
CVE-2023-45956 1Govee 1Led Strip Firmware Nov 21, 2024 Oct 30, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue discovered in Govee LED Strip v3.00.42 allows attackers to cause a denial of service via crafted Move and MoveWithOnoff commands.
CVE-2023-21339 1Google 1Android Nov 21, 2024 Oct 30, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 In Minikin, there is a possible way to trigger ANR by showing a malicious message due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction i...Show more In Minikin, there is a possible way to trigger ANR by showing a malicious message due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2023-31418 1Elastic 2Elastic Cloud Enterprise Elasticsearch Nov 21, 2024 Oct 26, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of...Show more An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild.Show less
CVE-2023-40408 1Apple 4Ipados Iphone OsMacos+1 more Nov 21, 2024 Oct 25, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Hide My Email may be deac...Show more An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Hide My Email may be deactivated unexpectedly.Show less
CVE-2023-5724 2Debian Mozilla 4Debian Linux FirefoxFirefox Esr+1 more Nov 21, 2024 Oct 25, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
CVE-2023-46136 1Palletsprojects 1Werkzeug May 20, 2026 Oct 25, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megaby...Show more Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1 and 2.3.8.Show less
CVE-2023-46120 1Vmware 1Rabbitmq Java Client Nov 21, 2024 Oct 25, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Mess...Show more The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.Show less
CVE-2023-46118 1Vmware 1Rabbitmq Nov 21, 2024 Oct 25, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user w...Show more RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.Show less
CVE-2023-42031 1Ibm 2Cics Tx Txseries For Multiplatforms Nov 21, 2024 Oct 25, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 IBM TXSeries for Multiplatforms, 8.1, 8.2, and 9.1, CICS TX Standard CICS TX Advanced 10.1 and 11.1 could allow a privileged user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 2...Show more IBM TXSeries for Multiplatforms, 8.1, 8.2, and 9.1, CICS TX Standard CICS TX Advanced 10.1 and 11.1 could allow a privileged user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 266016.Show less
CVE-2023-39219 1Pingidentity 1Pingfederate Nov 21, 2024 Oct 25, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests
CVE-2022-3698 1Lenovo 2Diagnostics Hardwarescan Plugin Nov 21, 2024 Oct 25, 2023 N/A· v4 4.4 MEDIUM· v3 N/A· v2 A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to...Show more A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to trigger a system crash. Show less
CVE-2022-0353 1Lenovo 3Diagnostics Hardwarescan AddinHardwarescan Plugin Nov 21, 2024 Oct 25, 2023 N/A· v4 4.4 MEDIUM· v3 N/A· v2 A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to...Show more A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to trigger a system crash. Show less
CVE-2023-43622 1Apache 1Http Server Feb 13, 2025 Oct 23, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, s...Show more An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.Show less
CVE-2023-45810 1Openfga 1Openfga Nov 21, 2024 Oct 17, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Affected versions of OpenFGA are vulnerable to a denial of service attack. When a number of `ListObjects` calls...Show more OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Affected versions of OpenFGA are vulnerable to a denial of service attack. When a number of `ListObjects` calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and given a sufficient call volume the service as a whole becomes unresponsive. This issue has been addressed in version 1.3.4 and the upgrade is considered backwards compatible. There are no known workarounds for this vulnerability.Show less

Previous 1...697071...155 Next