CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5433 vulnerabilities reference this CWE, most recent first.
GHSA-PJ65-M939-VPP3
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48OMICRON StationGuard before 1.10 allows remote attackers to cause a denial of service (connectivity outage) via crafted tcp/20499 packets to the CTRL Ethernet port.
{
"affected": [],
"aliases": [
"CVE-2021-30464"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-20T19:15:00Z",
"severity": "HIGH"
},
"details": "OMICRON StationGuard before 1.10 allows remote attackers to cause a denial of service (connectivity outage) via crafted tcp/20499 packets to the CTRL Ethernet port.",
"id": "GHSA-pj65-m939-vpp3",
"modified": "2022-05-24T17:48:01Z",
"published": "2022-05-24T17:48:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30464"
},
{
"type": "WEB",
"url": "https://www.omicronenergy.com/download/file/e81f23250097e7d5e1071dfbdb7f16d2"
},
{
"type": "WEB",
"url": "https://www.omicronenergy.com/en/support/product-security"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PJFV-46PV-9Q9C
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-08-13 00:00A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). Affected devices write crashdumps without checking if enough space is available on the filesystem. Once the crashdump fills the entire root filesystem, affected devices fail to boot successfully. An attacker can leverage this vulnerability to cause a permanent Denial-of-Service.
{
"affected": [],
"aliases": [
"CVE-2021-41546"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-12T10:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX1400 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX1500 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX1501 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX1510 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX1511 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX1512 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX1524 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX1536 (All versions \u003c V2.14.1), RUGGEDCOM ROX RX5000 (All versions \u003c V2.14.1). Affected devices write crashdumps without checking if enough space is available on the filesystem. Once the crashdump fills the entire root filesystem, affected devices fail to boot successfully. An attacker can leverage this vulnerability to cause a permanent Denial-of-Service.",
"id": "GHSA-pjfv-46pv-9q9c",
"modified": "2022-08-13T00:00:37Z",
"published": "2022-05-24T19:17:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41546"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-173565.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJMX-9XR3-82QR
Vulnerability from github – Published: 2018-07-24 19:59 – Updated: 2023-09-06 20:07Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.
Proof of Concept
var useragent = require('useragent');
var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP';
var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n';
console.log(useragent.parse(request));
Recommendation
Update to version 2.1.13 or later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.12"
},
"package": {
"ecosystem": "npm",
"name": "useragent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-16030"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:49:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of `useragent` are vulnerable to regular expression denial of service when an arbitrarily long `User-Agent` header is parsed.\n\n\n## Proof of Concept\n```js\nvar useragent = require(\u0027useragent\u0027);\n\nvar badUserAgent = \u0027MSIE 0.0\u0027+Array(900000).join(\u00270\u0027)+\u0027XBLWP\u0027;\nvar request = \u0027GET / HTTP/1.1\\r\\nUser-Agent: \u0027 + badUserAgent + \u0027\\r\\n\\r\\n\u0027;\nconsole.log(useragent.parse(request));\n```\n\n\n## Recommendation\n\nUpdate to version 2.1.13 or later.",
"id": "GHSA-pjmx-9xr3-82qr",
"modified": "2023-09-06T20:07:59Z",
"published": "2018-07-24T19:59:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16030"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-pjmx-9xr3-82qr"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/312"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ReDoS via long UserAgent header in useragent"
}
GHSA-PJRJ-H4FG-6GM4
Vulnerability from github – Published: 2023-12-05 23:42 – Updated: 2023-12-05 23:42Impact
The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.
Patches
The issue is fixed in version 4.1.0 of tokio-boring.
References
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "tokio-boring"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.0.0"
]
}
],
"aliases": [
"CVE-2023-6180"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-401",
"CWE-404"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-05T23:42:49Z",
"nvd_published_at": "2023-12-05T15:15:08Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The `set_ex_data` function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n\n### Patches\nThe issue is fixed in version 4.1.0 of tokio-boring.\n\n### References\n[CVE-2023-6180 at cve.org](https://www.cve.org/CVERecord?id=CVE-2023-6180)\n",
"id": "GHSA-pjrj-h4fg-6gm4",
"modified": "2023-12-05T23:42:49Z",
"published": "2023-12-05T23:42:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6180"
},
{
"type": "WEB",
"url": "https://github.com/cloudflare/boring/commit/a32783374f2682e6949fdb713910b1b9f103d3ed"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudflare/boring"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "tokio-boring vulnerable to resource exhaustion via memory leak"
}
GHSA-PJX6-JJ7C-74M7
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-08-11 00:00A vulnerability has been identified in Opcenter Execution Discrete (All versions < V3.2), Opcenter Execution Foundation (All versions < V3.2), Opcenter Execution Process (All versions < V3.2), Opcenter Intelligence (All versions), Opcenter Quality (All versions < V11.3), Opcenter RD&L (V8.0), SIMATIC IT LMS (All versions), SIMATIC IT Production Suite (All versions), SIMATIC Notifier Server for Windows (All versions), SIMATIC PCS neo (All versions), SIMATIC STEP 7 (TIA Portal) V15 (All versions), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMOCODE ES (All versions), Soft Starter ES (All versions). Sending multiple specially crafted packets to the affected service could cause a partial remote Denial-of-Service, that would cause the service to restart itself. On some cases the vulnerability could leak random information from the remote service.
{
"affected": [],
"aliases": [
"CVE-2020-7587"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-14T14:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Opcenter Execution Discrete (All versions \u003c V3.2), Opcenter Execution Foundation (All versions \u003c V3.2), Opcenter Execution Process (All versions \u003c V3.2), Opcenter Intelligence (All versions), Opcenter Quality (All versions \u003c V11.3), Opcenter RD\u0026L (V8.0), SIMATIC IT LMS (All versions), SIMATIC IT Production Suite (All versions), SIMATIC Notifier Server for Windows (All versions), SIMATIC PCS neo (All versions), SIMATIC STEP 7 (TIA Portal) V15 (All versions), SIMATIC STEP 7 (TIA Portal) V16 (All versions \u003c V16 Update 2), SIMOCODE ES (All versions), Soft Starter ES (All versions). Sending multiple specially crafted packets to the affected service could cause a partial remote Denial-of-Service, that would cause the service to restart itself. On some cases the vulnerability could leak random information from the remote service.",
"id": "GHSA-pjx6-jj7c-74m7",
"modified": "2022-08-11T00:00:20Z",
"published": "2022-05-24T17:22:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7587"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-841348.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PJXW-22XF-6PWC
Vulnerability from github – Published: 2019-02-07 18:16 – Updated: 2023-09-12 21:05All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects.
Recommendation
As no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "defaults-deep"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-16486"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:49:31Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of `defaults-deep` are vulnerable to prototype pollution. Provided certain input `defaults-deep` can add or modify properties of the `Object` prototype. These properties will be present on all objects.\n\n\n## Recommendation\n\nAs no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.",
"id": "GHSA-pjxw-22xf-6pwc",
"modified": "2023-09-12T21:05:03Z",
"published": "2019-02-07T18:16:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16486"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/380878"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-pjxw-22xf-6pwc"
},
{
"type": "PACKAGE",
"url": "https://github.com/jonschlinkert/defaults-deep"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/778"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in defaults-deep"
}
GHSA-PM38-P7H6-V3QF
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.
{
"affected": [],
"aliases": [
"CVE-2019-20845"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.",
"id": "GHSA-pm38-p7h6-v3qf",
"modified": "2022-05-24T17:21:10Z",
"published": "2022-05-24T17:21:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20845"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PM9P-9926-W68M
Vulnerability from github – Published: 2017-12-28 22:52 – Updated: 2021-09-16 18:15ecstatic, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (%00) is provided by an attacker it can crash ecstatic by running it out of memory.
Results from the original advisory
A payload of 22kB caused a lag of 1 second,
A payload of 35kB caused a lag of 3 seconds,
A payload of 86kB caused the server to crash
Recommendation
Update to version 2.0.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ecstatic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-10703"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:49:34Z",
"nvd_published_at": "2017-12-14T19:29:00Z",
"severity": "HIGH"
},
"details": "`ecstatic`, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (`%00`) is provided by an attacker it can crash ecstatic by running it out of memory.\n\n\n[Results from the original advisory](https://www.checkmarx.com/advisories/denial-of-service-dos-vulnerability-in-ecstatic-npm-package/)\n\n```\nA payload of 22kB caused a lag of 1 second,\nA payload of 35kB caused a lag of 3 seconds,\nA payload of 86kB caused the server to crash\n```\n\n\n## Recommendation\n\nUpdate to version 2.0.0 or later.",
"id": "GHSA-pm9p-9926-w68m",
"modified": "2021-09-16T18:15:09Z",
"published": "2017-12-28T22:52:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10703"
},
{
"type": "WEB",
"url": "https://github.com/jfhbrook/node-ecstatic/commit/71ce93988ead4b561a8592168c72143907189f01"
},
{
"type": "WEB",
"url": "https://github.com/jfhbrook/node-ecstatic/commit/71ce93988ead4b561a8592168c72143907189f01#diff-b2b5a88fb51675f1aa1065c093dce1ee"
},
{
"type": "WEB",
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4450"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-pm9p-9926-w68m"
},
{
"type": "PACKAGE",
"url": "https://github.com/jfhbrook/node-ecstatic"
},
{
"type": "WEB",
"url": "https://www.checkmarx.com/advisories/denial-of-service-dos-vulnerability-in-ecstatic-npm-package"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/553"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in ecstatic"
}
GHSA-PMG9-P9R2-6Q87
Vulnerability from github – Published: 2018-07-24 19:46 – Updated: 2021-01-08 18:20Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header.
Recommendation
No patch is currently available for this vulnerability.
The best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as useragent.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ua-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-16086"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:49:36Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of `ua-parser` are vulnerable to regular expression denial of service when given a specially crafted `User-Agent` header.\n\n\n## Recommendation\n\nNo patch is currently available for this vulnerability.\n\nThe best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as [useragent](https://www.npmjs.com/package/useragent).",
"id": "GHSA-pmg9-p9r2-6q87",
"modified": "2021-01-08T18:20:33Z",
"published": "2018-07-24T19:46:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16086"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-pmg9-p9r2-6q87"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/316"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ReDoS via long UserAgent header in ua-parser"
}
GHSA-PMH6-CQ54-943M
Vulnerability from github – Published: 2023-01-05 03:30 – Updated: 2025-04-07 21:31WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.
{
"affected": [],
"aliases": [
"CVE-2023-22622"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-05T02:15:00Z",
"severity": "HIGH"
},
"details": "WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes \"the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner,\" but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.",
"id": "GHSA-pmh6-cq54-943m",
"modified": "2025-04-07T21:31:37Z",
"published": "2023-01-05T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22622"
},
{
"type": "WEB",
"url": "https://developer.wordpress.org/plugins/cron"
},
{
"type": "WEB",
"url": "https://github.com/WordPress/WordPress/blob/dca7b5204b5fea54e6d1774689777b359a9222ab/wp-cron.php#L5-L8"
},
{
"type": "WEB",
"url": "https://medium.com/%40thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30"
},
{
"type": "WEB",
"url": "https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30"
},
{
"type": "WEB",
"url": "https://patchstack.com/articles/solving-unpredictable-wp-cron-problems-addressing-cve-2023-22622"
},
{
"type": "WEB",
"url": "https://wordpress.org/about/security"
},
{
"type": "WEB",
"url": "https://wordpress.org/support/article/how-to-install-wordpress"
},
{
"type": "WEB",
"url": "https://www.tenable.com/plugins/was/113449"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.