Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,099)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-5333 1Mattermost 1Mattermost Server Nov 21, 2024 Oct 9, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identi...Show more Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. Show less
CVE-2023-5330 1Mattermost 1Mattermost Server Nov 21, 2024 Oct 9, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailab...Show more Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. Show less
CVE-2023-21253 1Google 1Android Nov 21, 2024 Oct 6, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 In multiple locations, there is a possible way to crash multiple system services due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is...Show more In multiple locations, there is a possible way to crash multiple system services due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2023-43810 1Opentelemetry 1Opentelemetry Nov 21, 2024 Oct 6, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentat...Show more OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0.Show less
CVE-2023-20259 1Cisco 5Emergency Responder Prime Collaboration DeploymentUnified Communications Manager+2 more Nov 21, 2024 Oct 4, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management in...Show more A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management interface and cause delays with call processing. This API is not used for device management and is unlikely to be used in normal operations of the device. This vulnerability is due to improper API authentication and incomplete validation of the API request. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to high CPU utilization, which could negatively impact user traffic and management access. When the attack stops, the device will recover without manual intervention.Show less
CVE-2023-3153 2Ovn Redhat 3Fast Datapath Open Virtual NetworkOpenshift Container Platform Nov 21, 2024 Oct 4, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properl...Show more A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properly configured.Show less
CVE-2023-33026 1Qualcomm 194Ar8035 Firmware Ar9380 FirmwareCsr8811 Firmware+191 more Aug 11, 2025 Oct 3, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Transient DOS in WLAN Firmware while parsing a NAN management frame.
CVE-2023-26151 1Freeopcua 1Opcua Asyncio Nov 21, 2024 Oct 3, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive...Show more Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.Show less
CVE-2023-5196 1Mattermost 1Mattermost Nov 21, 2024 Sep 29, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing...Show more Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. Show less
CVE-2023-20268 1Cisco 4Business 150ax Firmware Business 151axm FirmwareCatalyst 9800 Embedded Wireless Controller Firmware+1 more Dec 12, 2024 Sep 27, 2023 N/A· v4 4.7 MEDIUM· v3 N/A· v2 A vulnerability in the packet processing functionality of Cisco access point (AP) software could allow an unauthenticated, adjacent attacker to exhaust resources on an affected device.  This vulnerability is due...Show more A vulnerability in the packet processing functionality of Cisco access point (AP) software could allow an unauthenticated, adjacent attacker to exhaust resources on an affected device.  This vulnerability is due to insufficient management of resources when handling certain types of traffic. An attacker could exploit this vulnerability by sending a series of specific wireless packets to an affected device. A successful exploit could allow the attacker to consume resources on an affected device. A sustained attack could lead to the disruption of the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel and intermittent loss of wireless client traffic.Show less
CVE-2023-20176 1Cisco 5Catalyst 9124 Firmware Catalyst 9130 FirmwareCatalyst 9136 Firmware+2 more Nov 21, 2024 Sep 27, 2023 N/A· v4 8.6 HIGH· v3 N/A· v2 A vulnerability in the networking component of Cisco access point (AP) software could allow an unauthenticated, remote attacker to cause a temporary disruption of service. This vulnerability is due to overuse of AP re...Show more A vulnerability in the networking component of Cisco access point (AP) software could allow an unauthenticated, remote attacker to cause a temporary disruption of service. This vulnerability is due to overuse of AP resources. An attacker could exploit this vulnerability by connecting to an AP on an affected device as a wireless client and sending a high rate of traffic over an extended period of time. A successful exploit could allow the attacker to cause the Datagram TLS (DTLS) session to tear down and reset, causing a denial of service (DoS) condition.Show less
CVE-2023-5157 3Fedoraproject MariadbRedhat 12Enterprise Linux Enterprise Linux EusEnterprise Linux For Arm 64+9 more Oct 1, 2025 Sep 27, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.
CVE-2023-43775 1Eaton 4Smp 16 Firmware Smp 4/dp FirmwareSmp Sg 4250 Firmware+1 more Nov 21, 2024 Sep 27, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Denial-of-service vulnerability in the web server of the Eaton SMP Gateway allows attacker to potentially force an unexpected restart of the automation platform, impacting the availability of the product. In rare situa...Show more Denial-of-service vulnerability in the web server of the Eaton SMP Gateway allows attacker to potentially force an unexpected restart of the automation platform, impacting the availability of the product. In rare situations, the issue could cause the SMP device to restart in Safe Mode or Max Safe Mode. When in Max Safe Mode, the product is not vulnerable anymore. Show less
CVE-2023-43646 1Chaijs 1Get Func Name Nov 21, 2024 Sep 27, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which...Show more get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit `f934b228b` which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2023-41310 1Huawei 2Emui Harmonyos Nov 21, 2024 Sep 27, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 Keep-alive vulnerability in the sticky broadcast mechanism. Successful exploitation of this vulnerability may cause malicious apps to run continuously in the background.
CVE-2023-40441 1Apple 3Ipados Iphone OsMacos Nov 4, 2025 Sep 27, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A resource exhaustion issue was addressed with improved input validation. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may lead to a denial-of-service.
CVE-2023-41294 1Huawei 1Harmonyos Nov 21, 2024 Sep 25, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super Device services.
CVE-2023-43771 1Mikebrady 1Not Quite Ptp Nov 21, 2024 Sep 22, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 In nqptp-message-handlers.c in nqptp before 1.2.3, crafted packets received on the control port could crash the program.
CVE-2023-43767 1F Secure 7Atlant Client SecurityElements Endpoint Protection+4 more Nov 21, 2024 Sep 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Certain WithSecure products allow Denial of Service via the aepack archive unpack handler. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure El...Show more Certain WithSecure products allow Denial of Service via the aepack archive unpack handler. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0 , Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.Show less
CVE-2023-42457 1Plone 1Rest Feb 13, 2025 Sep 21, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times...Show more plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).Show less

Previous 1...717273...155 Next