Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,099)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-28165 4Eclipse JenkinsNetapp+1 more 21Autovue For Agile Product Lifecycle Management Cloud ManagerCommunications Cloud Native Core Policy+18 more Aug 27, 2025 Apr 1, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-22177 1Gitlab 1Gitlab Nov 21, 2024 Apr 1, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
CVE-2021-20234 1Zeromq 1Libzmq Nov 21, 2024 Apr 1, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An uncontrolled resource consumption (memory leak) flaw was found in the ZeroMQ client in versions before 4.3.3 in src/pipe.cpp. This issue causes a client that connects to multiple malicious or compromised servers to cr...Show more An uncontrolled resource consumption (memory leak) flaw was found in the ZeroMQ client in versions before 4.3.3 in src/pipe.cpp. This issue causes a client that connects to multiple malicious or compromised servers to crash. The highest threat from this vulnerability is to system availability.Show less
CVE-2021-3479 2Debian Openexr 2Debian Linux Openexr Nov 21, 2024 Mar 31, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting i...Show more There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.Show less
CVE-2021-3478 2Debian Openexr 2Debian Linux Openexr Nov 21, 2024 Mar 31, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact...Show more There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.Show less
CVE-2018-1109 1Braces Project 1Braces Dec 1, 2025 Mar 30, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
CVE-2018-1107 1Is My Json Valid Project 1Is My Json Valid Nov 21, 2024 Mar 30, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an exces...Show more It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.Show less
CVE-2021-20216 1Privoxy 1Privoxy Nov 21, 2024 Mar 25, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 A flaw was found in Privoxy in versions before 3.0.31. A memory leak that occurs when decompression fails unexpectedly may lead to a denial of service. The highest threat from this vulnerability is to system availability...Show more A flaw was found in Privoxy in versions before 3.0.31. A memory leak that occurs when decompression fails unexpectedly may lead to a denial of service. The highest threat from this vulnerability is to system availability.Show less
CVE-2021-1460 1Cisco 3Cgr1000 Firmware Ic3000 Industrial Compute Gateway FirmwareIos Nov 21, 2024 Mar 24, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability in the Cisco IOx Application Framework of Cisco 809 Industrial Integrated Services Routers (Industrial ISRs), Cisco 829 Industrial ISRs, Cisco CGR 1000 Compute Module, and Cisco IC3000 Industrial Compute...Show more A vulnerability in the Cisco IOx Application Framework of Cisco 809 Industrial Integrated Services Routers (Industrial ISRs), Cisco 829 Industrial ISRs, Cisco CGR 1000 Compute Module, and Cisco IC3000 Industrial Compute Gateway could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient error handling during packet processing. An attacker could exploit this vulnerability by sending a high and sustained rate of crafted TCP traffic to the IOx web server on an affected device. A successful exploit could allow the attacker to cause the IOx web server to stop processing requests, resulting in a DoS condition.Show less
CVE-2019-19343 2Netapp Redhat 4Active Iq Unified Manager Jboss Enterprise Application PlatformJboss Remoting+1 more Nov 21, 2024 Mar 23, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versi...Show more A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable.Show less
CVE-2021-21348 6Apache DebianFedoraproject+3 more 16Activemq Banking Enterprise Default ManagementBanking Platform+13 more May 23, 2025 Mar 23, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and wil...Show more XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.Show less
CVE-2021-21341 6Apache DebianFedoraproject+3 more 13Activemq Banking Enterprise Default ManagementBanking Platform+10 more May 23, 2025 Mar 23, 2021 N/A· v4 7.5 HIGH· v3 7.1 HIGH· v2 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on...Show more XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.Show less
CVE-2021-21267 2Netapp Schema Inspector Project 3E Series Performance Analyzer Oncommand InsightSchema Inspector Nov 21, 2024 Mar 19, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (...Show more Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS.Show less
CVE-2021-28089 2Fedoraproject Torproject 2Fedora Tor Nov 21, 2024 Mar 19, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001.
CVE-2020-27827 5Fedoraproject Lldpd ProjectOpenvswitch+2 more 17Enterprise Linux FedoraLldpd+14 more Dec 3, 2025 Mar 18, 2021 N/A· v4 7.5 HIGH· v3 7.1 HIGH· v2 A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest...Show more A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.Show less
CVE-2021-21375 2Debian Teluu 2Debian Linux Pjsip Nov 21, 2024 Mar 10, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier, after an initial...Show more PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier, after an initial INVITE has been sent, when two 183 responses are received, with the first one causing negotiation failure, a crash will occur. This results in a denial of service.Show less
CVE-2020-35233 1Netgear 2Gs116e Firmware Jgs516pe Firmware Nov 21, 2024 Mar 10, 2021 N/A· v4 6.5 MEDIUM· v3 6.1 MEDIUM· v2 The TFTP server fails to handle multiple connections on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices, and allows external attackers to force device reboots by sending concurrent connections, aka a denial of service attack...Show more The TFTP server fails to handle multiple connections on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices, and allows external attackers to force device reboots by sending concurrent connections, aka a denial of service attack.Show less
CVE-2021-20265 2Linux Oracle 2Linux Kernel Tekelec Platform Distribution Nov 21, 2024 Mar 10, 2021 N/A· v4 5.5 MEDIUM· v3 4.9 MEDIUM· v2 A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting ava...Show more A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.Show less
CVE-2021-21369 1Linuxfoundation 1Besu Nov 21, 2024 Mar 9, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and pa...Show more Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1.Show less
CVE-2021-22883 5Fedoraproject NetappNodejs+2 more 9E Series Performance Analyzer FedoraGraalvm+6 more Nov 21, 2024 Mar 3, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If...Show more Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.Show less

Previous 1...109110111...155 Next