Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,097)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-5419 5Debian FedoraprojectOpensuse+2 more 6Cloudforms Debian LinuxFedora+3 more Nov 21, 2024 Mar 27, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unre...Show more There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.Show less
CVE-2019-4046 1Ibm 1Websphere Application Server Nov 21, 2024 Mar 25, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of...Show more IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. IBM X-Force ID: 156242.Show less
CVE-2019-3874 5Canonical DebianLinux+2 more 9Active Iq Unified Manager For Vmware Vsphere Cn1610 FirmwareDebian Linux+6 more Nov 21, 2024 Mar 25, 2019 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vu...Show more The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.Show less
CVE-2018-19158 1Colossusxt 1Colossuscoinxt Nov 21, 2024 Mar 21, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ColossusCoinXT through 1.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends i...Show more ColossusCoinXT through 1.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.Show less
CVE-2018-18898 4Bestpractical CanonicalDebian+1 more 4Debian Linux FedoraRequest Tracker+1 more Nov 21, 2024 Mar 21, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing.
CVE-2019-9750 1Iotivity 1Iotivity Nov 21, 2024 Mar 13, 2019 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 In IoTivity through 1.3.1, the CoAP server interface can be used for Distributed Denial of Service attacks using source IP address spoofing and UDP-based traffic amplification. The reflected traffic is 6 times bigger tha...Show more In IoTivity through 1.3.1, the CoAP server interface can be used for Distributed Denial of Service attacks using source IP address spoofing and UDP-based traffic amplification. The reflected traffic is 6 times bigger than spoofed requests. This occurs because the construction of a "4.01 Unauthorized" response is mishandled. NOTE: the vendor states "While this is an interesting attack, there is no plan for maintainer to fix, as we are migrating to IoTivity Lite."Show less
CVE-2019-9587 1Glyphandcog 1Xpdfreader Nov 21, 2024 Mar 6, 2019 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 There is a stack consumption issue in md5Round1() located in Decrypt.cc in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Serv...Show more There is a stack consumption issue in md5Round1() located in Decrypt.cc in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to Catalog::countPageTree.Show less
CVE-2019-6559 1Moxa 4Eds 405a Firmware Eds 408a FirmwareEds 510a Firmware+1 more Nov 21, 2024 Mar 5, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Moxa IKS and EDS allow remote authenticated users to cause a denial of service via a specially crafted packet, which may cause the switch to crash.
CVE-2018-5819 2Debian Libraw 2Debian Linux Libraw Nov 21, 2024 Feb 20, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 An error within the "parse_sinar_ia()" function (internal/dcraw_common.cpp) within LibRaw versions prior to 0.19.1 can be exploited to exhaust available CPU resources.
CVE-2018-20030 1Libexif Project 1Libexif Nov 21, 2024 Feb 20, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources.
CVE-2019-8909 1Wtcms Project 1Wtcms Nov 21, 2024 Feb 18, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.
CVE-2017-0938 1Ui 2Airos Edgemax Firmware Nov 21, 2024 Feb 12, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.
CVE-2019-1672 1Cisco 1Web Security Appliance Nov 21, 2024 Feb 8, 2019 N/A· v4 5.8 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto th...Show more A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections. Releases 10.1.x and 10.5.x are affected.Show less
CVE-2019-6535 1Mitsubishielectric 18Q03udecpu Firmware Q03udvcpu FirmwareQ04udehcpu Firmware+15 more Jun 26, 2025 Feb 5, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Mitsubishi Electric Q03/04/06/13/26UDVCPU: serial number 20081 and prior, Q04/06/13/26UDPVCPU: serial number 20081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 20101 and prior. A remote attac...Show more Mitsubishi Electric Q03/04/06/13/26UDVCPU: serial number 20081 and prior, Q04/06/13/26UDPVCPU: serial number 20081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 20101 and prior. A remote attacker can send specific bytes over Port 5007 that will result in an Ethernet stack crash and disruption to USB communication.Show less
CVE-2018-16492 1Extend Project 1Extend Nov 21, 2024 Feb 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
CVE-2018-16491 1Dreamerslab 1Node.extend Nov 21, 2024 Feb 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
CVE-2018-16490 1Mpath Project 1Mpath Nov 21, 2024 Feb 1, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
CVE-2018-16489 1Just Extend Project 1Just Extend Nov 21, 2024 Feb 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.
CVE-2018-16487 1Lodash 1Lodash Nov 21, 2024 Feb 1, 2019 N/A· v4 5.6 MEDIUM· v3 6.8 MEDIUM· v2 A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
CVE-2018-16486 1Defaults Deep Project 1Defaults Deep Nov 21, 2024 Feb 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.

Previous 1...131132133...155 Next