CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5423 vulnerabilities reference this CWE, most recent first.
GHSA-QJ8W-GFJ5-8C6V
Vulnerability from github – Published: 2026-03-27 18:18 – Updated: 2026-05-21 18:30Impact
What kind of vulnerability is it?
It is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.
Who is impacted?
Applications that use serialize-javascript to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to Prototype Pollution or handles untrusted data via YAML Deserialization, as these could be used to inject the malicious object.
Patches
Has the problem been patched?
Yes, the issue has been patched by replacing instanceof Array checks with Array.isArray() and using Object.keys() for sparse array detection.
What versions should users upgrade to?
Users should upgrade to v7.0.5 or later.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
There is no direct code-level workaround within the library itself. However, users can mitigate the risk by:
- Validating and sanitizing all input before passing it to the
serialize()function. - Ensuring the environment is protected against Prototype Pollution.
- Upgrading to
v7.0.5as soon as possible.
Acknowledgements
Serialize JavaScript thanks Tomer Aberbach (@TomerAberbach) for discovering and privately disclosing this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "serialize-javascript"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "7.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34043"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-834"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T18:18:54Z",
"nvd_published_at": "2026-03-31T03:15:58Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n**What kind of vulnerability is it?**\n\nIt is a **Denial of Service (DoS)** vulnerability caused by CPU exhaustion. When serializing a specially crafted \"array-like\" object (an object that inherits from `Array.prototype` but has a very large `length` property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.\n\n**Who is impacted?**\n\nApplications that use `serialize-javascript` to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to **Prototype Pollution** or handles untrusted data via **YAML Deserialization**, as these could be used to inject the malicious object.\n\n### Patches\n\n**Has the problem been patched?**\n\nYes, the issue has been patched by replacing `instanceof Array` checks with `Array.isArray()` and using `Object.keys()` for sparse array detection.\n\n**What versions should users upgrade to?**\n\nUsers should upgrade to **`v7.0.5`** or later.\n\n### Workarounds\n\n**Is there a way for users to fix or remediate the vulnerability without upgrading?**\n\nThere is no direct code-level workaround within the library itself. However, users can mitigate the risk by:\n\n* Validating and sanitizing all input before passing it to the `serialize()` function.\n* Ensuring the environment is protected against Prototype Pollution.\n* Upgrading to **`v7.0.5`** as soon as possible.\n\n### Acknowledgements\n\nSerialize JavaScript thanks **Tomer Aberbach** (@TomerAberbach) for discovering and privately disclosing this issue.",
"id": "GHSA-qj8w-gfj5-8c6v",
"modified": "2026-05-21T18:30:13Z",
"published": "2026-03-27T18:18:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34043"
},
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b"
},
{
"type": "PACKAGE",
"url": "https://github.com/yahoo/serialize-javascript"
},
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/releases/tag/v5.0.0"
},
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"
}
GHSA-QJP4-G2MQ-4R5W
Vulnerability from github – Published: 2023-09-14 21:30 – Updated: 2026-06-23 18:31A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-32611"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-14T20:15:09Z",
"severity": "MODERATE"
},
"details": "A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.",
"id": "GHSA-qjp4-g2mq-4r5w",
"modified": "2026-06-23T18:31:30Z",
"published": "2023-09-14T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32611"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-32611"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211829"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2797"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-18"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231027-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJR6-P4J5-V4QX
Vulnerability from github – Published: 2024-05-20 00:30 – Updated: 2024-05-20 00:30A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's id attribute to a value of 0. This issue affects the current version of the software, with the latest commit id 57984fa85c31988b2eff429adfc654c46e0c342a. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.
{
"affected": [],
"aliases": [
"CVE-2024-4284"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-19T23:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user\u0027s `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application\u0027s mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware\u0027s token validation logic. This issue has been addressed in version 1.0.0 of the software.",
"id": "GHSA-qjr6-p4j5-v4qx",
"modified": "2024-05-20T00:30:25Z",
"published": "2024-05-20T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4284"
},
{
"type": "WEB",
"url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJRR-9QQ3-H6FF
Vulnerability from github – Published: 2022-02-11 00:01 – Updated: 2025-05-05 18:30Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2021-0092"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "MODERATE"
},
"details": "Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.",
"id": "GHSA-qjrr-9qq3-h6ff",
"modified": "2025-05-05T18:30:57Z",
"published": "2022-02-11T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0092"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220210-0007"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00527.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJVJ-64RF-P4QG
Vulnerability from github – Published: 2022-05-02 06:10 – Updated: 2022-05-02 06:10The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.
{
"affected": [],
"aliases": [
"CVE-2010-0205"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-03-03T19:30:00Z",
"severity": "MODERATE"
},
"details": "The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a \"decompression bomb\" attack.",
"id": "GHSA-qjvj-64rf-p4qg",
"modified": "2022-05-02T06:10:56Z",
"published": "2022-05-02T06:10:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0205"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56661"
},
{
"type": "WEB",
"url": "http://libpng.sourceforge.net/ADVISORY-1.4.1.html"
},
{
"type": "WEB",
"url": "http://libpng.sourceforge.net/decompression_bombs.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037237.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037355.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037364.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037607.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.vmware.com/pipermail/security-announce/2010/000105.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/62670"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38774"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/39251"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/41574"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4435"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-913-1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2010/dsa-2032"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/576029"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:063"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:064"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/38478"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1023674"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2010-0014.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0517"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0605"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0626"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0637"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0667"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0682"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0686"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0847"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1107"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/2491"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QJVR-CGCX-RP8G
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable denial of service vulnerability exists in the processing of snmp-set commands of the Allen Bradley Micrologix 1400 Series B FRN 21.2 and below. A specially crafted snmp-set request, when sent without associated firmware flashing snmp-set commands, can cause a device power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-12090"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-05T21:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable denial of service vulnerability exists in the processing of snmp-set commands of the Allen Bradley Micrologix 1400 Series B FRN 21.2 and below. A specially crafted snmp-set request, when sent without associated firmware flashing snmp-set commands, can cause a device power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.",
"id": "GHSA-qjvr-cgcx-rp8g",
"modified": "2022-05-13T01:01:40Z",
"published": "2022-05-13T01:01:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12090"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0442"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJXF-F2MG-C6MC
Vulnerability from github – Published: 2026-03-12 14:19 – Updated: 2026-06-08 19:51In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.
Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.5.4"
},
"package": {
"ecosystem": "PyPI",
"name": "tornado"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31958"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:19:52Z",
"nvd_published_at": "2026-03-11T20:16:16Z",
"severity": "HIGH"
},
"details": "In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. \n\nTornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.",
"id": "GHSA-qjxf-f2mg-c6mc",
"modified": "2026-06-08T19:51:12Z",
"published": "2026-03-12T14:19:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31958"
},
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2026-140.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tornadoweb/tornado"
},
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Tornado is vulnerable to DoS due to too many multipart parts"
}
GHSA-QM3H-46XC-W7W4
Vulnerability from github – Published: 2025-11-05 17:48 – Updated: 2025-11-05 17:48An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).
{
"affected": [],
"aliases": [
"CVE-2025-60753"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-05T16:15:40Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).",
"id": "GHSA-qm3h-46xc-w7w4",
"modified": "2025-11-05T17:48:28Z",
"published": "2025-11-05T17:48:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60753"
},
{
"type": "WEB",
"url": "https://github.com/libarchive/libarchive/issues/2725"
},
{
"type": "WEB",
"url": "https://github.com/Papya-j/CVE/tree/main/CVE-2025-60753"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QMF9-6JQF-J8FQ
Vulnerability from github – Published: 2023-11-02 06:30 – Updated: 2024-09-20 16:05An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "3.2a1"
},
{
"fixed": "3.2.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.1a1"
},
{
"fixed": "4.1.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.2a1"
},
{
"fixed": "4.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46695"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-02T21:26:14Z",
"nvd_published_at": "2023-11-02T06:15:08Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.",
"id": "GHSA-qmf9-6jqf-j8fq",
"modified": "2024-09-20T16:05:09Z",
"published": "2023-11-02T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46695"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/4.2/releases/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231214-0001"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2023/nov/01/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django potential denial of service vulnerability in UsernameField on Windows"
}
GHSA-QMVJ-4QR9-V547
Vulnerability from github – Published: 2023-11-27 23:27 – Updated: 2023-12-04 15:16Summary
A vulnerability was fond in Knative Serving that could allow an attacker to crash the Knative Serving autoscaler resulting in a denial of service. The attacker would need to have compromised one pod in the Knative Serving deployment, and with that position they could launch the attack against the autoscaler.
When the autoscaler scrapes the metrics of pods, it sends a request to the /metrics endpoint of each pod and reads the response. The attacker would need to detect the request from the autoscaler to the /metrics endpoint of the pod they had compromised and send a malicious response back to the autoscaler. At this point, the autoscaler would crash. The root cause of the vulnerability was a memory exhaustion issue in the autoscaler that the attacker could trigger with the malicious reponse.
The vulnerability would allow a privilege escalation by the attacker from controlling one point to having negative impact on the entire Knative Serving deployment.
Impact
All users are vulnerable to this; Users that have not had any of their pods compromised are not at risk of this vulnerability.
Mitigation
The vulnerability has been patched in v1.10.5, v1.11.3 and v1.12.0
Credits
The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "knative.dev/serving"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.39.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48713"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-27T23:27:04Z",
"nvd_published_at": "2023-11-28T04:15:07Z",
"severity": "MODERATE"
},
"details": "### Summary\nA vulnerability was fond in Knative Serving that could allow an attacker to crash the Knative Serving autoscaler resulting in a denial of service. The attacker would need to have compromised one pod in the Knative Serving deployment, and with that position they could launch the attack against the autoscaler. \nWhen the autoscaler scrapes the metrics of pods, it sends a request to the `/metrics` endpoint of each pod and reads the response. The attacker would need to detect the request from the autoscaler to the `/metrics` endpoint of the pod they had compromised and send a malicious response back to the autoscaler. At this point, the autoscaler would crash. The root cause of the vulnerability was a memory exhaustion issue in the autoscaler that the attacker could trigger with the malicious reponse.\n\nThe vulnerability would allow a privilege escalation by the attacker from controlling one point to having negative impact on the entire Knative Serving deployment.\n\n### Impact\nAll users are vulnerable to this; Users that have not had any of their pods compromised are not at risk of this vulnerability. \n\n### Mitigation\nThe vulnerability has been patched in v1.10.5, v1.11.3 and v1.12.0\n\n### Credits\nThe vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.",
"id": "GHSA-qmvj-4qr9-v547",
"modified": "2023-12-04T15:16:16Z",
"published": "2023-11-27T23:27:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48713"
},
{
"type": "WEB",
"url": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca"
},
{
"type": "WEB",
"url": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1"
},
{
"type": "WEB",
"url": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a"
},
{
"type": "PACKAGE",
"url": "https://github.com/knative/serving"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.