Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,106)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-20861 1Vmware 1Spring Framework Feb 25, 2025 Mar 23, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial...Show more In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.Show less
CVE-2023-0056 3Fedoraproject HaproxyRedhat 9Ceph Storage Extra Packages For Enterprise LinuxFedora+6 more Feb 25, 2025 Mar 23, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenSh...Show more An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.Show less
CVE-2023-1605 1Radare 1Radare2 Nov 21, 2024 Mar 23, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Denial of Service in GitHub repository radareorg/radare2 prior to 5.8.6.
CVE-2022-45003 1Getgophish 1Gophish Feb 25, 2025 Mar 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.
CVE-2023-24862 1Microsoft 13Windows 10 1507 Windows 10 1607Windows 10 1809+10 more Nov 21, 2024 Mar 14, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Windows Secure Channel Denial of Service Vulnerability
CVE-2023-23411 1Microsoft 11Windows 10 1507 Windows 10 1607Windows 10 1809+8 more Nov 21, 2024 Mar 14, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Windows Hyper-V Denial of Service Vulnerability
CVE-2023-23396 1Microsoft 2Office Online Server Office Web Apps Server Nov 21, 2024 Mar 14, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Microsoft Excel Denial of Service Vulnerability
CVE-2023-27270 1Sap 1Netweaver Application Server Abap Nov 21, 2024 Mar 14, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker...Show more SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information. Show less
CVE-2023-25618 1Sap 1Netweaver Application Server Abap Nov 21, 2024 Mar 14, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an...Show more SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information. Show less
CVE-2023-27530 2Debian Rack 2Debian Linux Rack Feb 13, 2025 Mar 10, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing t...Show more A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.Show less
CVE-2023-1072 1Gitlab 1Gitlab Nov 21, 2024 Mar 9, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a re...Show more An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details.Show less
CVE-2023-27484 1Crossplane 1Crossplane Nov 21, 2024 Mar 9, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can spec...Show more crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's `ToFieldPath`, which could lead to excessive memory usage once such Composition is selected for a Composite resource. Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, Crossplane will grow that slice up to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value. This issue has been addressed in versions 1.11.2, 1.10.3, and 1.9.2. Users are advised to upgrade. Users unable to upgrade can restrict write privileges on Compositions to only admin users as a workaround.Show less
CVE-2023-27483 1Crossplane 1Crossplane Runtime Nov 21, 2024 Mar 9, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. Applications that use...Show more crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. Applications that use the `Paved` type's `SetValue` method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic. In the fieldpath package, the Paved.SetValue method sets a value on the Paved object according to the provided path, without any validation. This allows setting values in slices at any provided index, which grows the target array up to the requested index, the index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value. If callers are not validating paths' indexes on their own, which most probably are not going to do, given that the input is parsed directly in the SetValue method, this could allow users to consume arbitrary amounts of memory. Applications that do not use the `Paved` type's `SetValue` method are not affected. This issue has been addressed in versions 0.16.1 and 0.19.2. Users are advised to upgrade. Users unable to upgrade can parse and validate the path before passing it to the `SetValue` method of the `Paved` type, constraining the index size as deemed appropriate.Show less
CVE-2022-41333 1Fortinet 1Fortirecorder Firmware Nov 21, 2024 Mar 7, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An uncontrolled resource consumption vulnerability [CWE-400] in FortiRecorder version 6.4.3 and below, 6.0.11 and below login authentication mechanism may allow an unauthenticated attacker to make the device unavailable...Show more An uncontrolled resource consumption vulnerability [CWE-400] in FortiRecorder version 6.4.3 and below, 6.0.11 and below login authentication mechanism may allow an unauthenticated attacker to make the device unavailable via crafted GET requests.Show less
CVE-2022-3277 2Openstack Redhat 2Neutron Openstack Platform Mar 7, 2025 Mar 6, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unco...Show more An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.Show less
CVE-2023-26601 1Zohocorp 4Manageengine Assetexplorer Manageengine Servicedesk PlusManageengine Servicedesk Plus Msp+1 more Nov 21, 2024 Mar 6, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).
CVE-2021-36395 1Moodle 1Moodle Mar 7, 2025 Mar 6, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
CVE-2023-27567 1Openbsd 1Openbsd Mar 6, 2025 Mar 3, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 In OpenBSD 7.2, a TCP packet with destination port 0 that matches a pf divert-to rule can crash the kernel.
CVE-2023-26470 1Xwiki 1Xwiki Nov 21, 2024 Mar 2, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of t...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has been patched in XWiki 14.0-rc-1. Show less
CVE-2022-38734 1Netapp 1Storagegrid Mar 7, 2025 Mar 2, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0.8 are susceptible to a Denial of Service (DoS) vulnerability. A successful exploit could lead to to a crash of the Local Distribution Router (LDR) serv...Show more StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0.8 are susceptible to a Denial of Service (DoS) vulnerability. A successful exploit could lead to to a crash of the Local Distribution Router (LDR) service.Show less

Previous 1...838485...156 Next