CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5423 vulnerabilities reference this CWE, most recent first.
GHSA-QQ9R-36HC-F769
Vulnerability from github – Published: 2023-10-04 12:30 – Updated: 2024-04-04 08:16A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properly configured.
{
"affected": [],
"aliases": [
"CVE-2023-3153"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-04T12:15:10Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properly configured.",
"id": "GHSA-qq9r-36hc-f769",
"modified": "2024-04-04T08:16:22Z",
"published": "2023-10-04T12:30:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3153"
},
{
"type": "WEB",
"url": "https://github.com/ovn-org/ovn/issues/198"
},
{
"type": "WEB",
"url": "https://github.com/ovn-org/ovn/commit/9a3f7ed905e525ebdcb14541e775211cbb0203bd"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-3153"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213279"
},
{
"type": "WEB",
"url": "https://mail.openvswitch.org/pipermail/ovs-announce/2023-August/000327.html"
},
{
"type": "WEB",
"url": "https://mail.openvswitch.org/pipermail/ovs-dev/2023-August/407553.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QQC5-PHF9-G9FV
Vulnerability from github – Published: 2026-06-02 00:31 – Updated: 2026-06-02 00:31In verifySignature of ApkChecksums.java, there is a possible way to cause a crash due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2026-0069"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T22:16:21Z",
"severity": "MODERATE"
},
"details": "In verifySignature of ApkChecksums.java, there is a possible way to cause a crash due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-qqc5-phf9-g9fv",
"modified": "2026-06-02T00:31:56Z",
"published": "2026-06-02T00:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0069"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/2026/2026-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQC8-RV37-79Q5
Vulnerability from github – Published: 2024-03-15 09:30 – Updated: 2024-12-18 19:21Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240209181221-674f549daf0e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240209181221-674f549daf0e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240209181221-674f549daf0e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240209181221-674f549daf0e"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28053"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-13T20:37:40Z",
"nvd_published_at": "2024-03-15T09:15:07Z",
"severity": "LOW"
},
"details": "Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit\u00a0the size of the payload that can be read and parsed allowing an attacker to send a\u00a0very large email payload and crash the server.\n\n",
"id": "GHSA-qqc8-rv37-79q5",
"modified": "2024-12-18T19:21:46Z",
"published": "2024-03-15T09:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28053"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qqc8-rv37-79q5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Server Resource Exhaustion"
}
GHSA-QQFJ-JWQ4-RQMG
Vulnerability from github – Published: 2026-06-26 15:32 – Updated: 2026-06-26 18:33An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.
{
"affected": [],
"aliases": [
"CVE-2026-30041"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T15:16:37Z",
"severity": "HIGH"
},
"details": "An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.",
"id": "GHSA-qqfj-jwq4-rqmg",
"modified": "2026-06-26T18:33:53Z",
"published": "2026-06-26T15:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30041"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/936962"
},
{
"type": "WEB",
"url": "https://www.faststone.org/FSIVDownload.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQWM-P976-W7MM
Vulnerability from github – Published: 2022-05-14 02:01 – Updated: 2022-05-14 02:01The image rendering component (createGenericPreview) of the Open Whisper Signal app through 2.29.0 for iOS fails to check for unreasonably large images before manipulating received images. This allows for a large image sent to a user to exhaust all available memory when the image is displayed, resulting in a forced restart of the device.
{
"affected": [],
"aliases": [
"CVE-2018-16132"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-29T22:29:00Z",
"severity": "HIGH"
},
"details": "The image rendering component (createGenericPreview) of the Open Whisper Signal app through 2.29.0 for iOS fails to check for unreasonably large images before manipulating received images. This allows for a large image sent to a user to exhaust all available memory when the image is displayed, resulting in a forced restart of the device.",
"id": "GHSA-qqwm-p976-w7mm",
"modified": "2022-05-14T02:01:16Z",
"published": "2022-05-14T02:01:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16132"
},
{
"type": "WEB",
"url": "http://seclists.org/bugtraq/2018/Aug/57"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRF7-F27G-8WJX
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2024-03-21 03:33** DISPUTED ** Technicolor (formerly RCA) TC8305C devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. NOTE: this might overlap CVE-2018-15852 and CVE-2018-16310. NOTE: Technicolor denies that the described behavior is a vulnerability and states that Wi-Fi traffic is slowed or stopped only while the devices are exposed to a MAC flooding attack. This has been confirmed through testing against official up-to-date versions.
{
"affected": [],
"aliases": [
"CVE-2018-15907"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-29T19:29:00Z",
"severity": "MODERATE"
},
"details": "** DISPUTED ** Technicolor (formerly RCA) TC8305C devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. NOTE: this might overlap CVE-2018-15852 and CVE-2018-16310. NOTE: Technicolor denies that the described behavior is a vulnerability and states that Wi-Fi traffic is slowed or stopped only while the devices are exposed to a MAC flooding attack. This has been confirmed through testing against official up-to-date versions.",
"id": "GHSA-qrf7-f27g-8wjx",
"modified": "2024-03-21T03:33:31Z",
"published": "2022-05-13T01:50:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15907"
},
{
"type": "WEB",
"url": "https://bkd00r.wordpress.com/2018/08/27/cve-2018-15907-exploit-title-techniclor-formerly-rca-tc8305c-wireless-gateway-802-11b-g-n-gigaport-x-4-port-router-w-2-voice-lines-xfinity-comcast-buffer-overflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRG6-F4G9-6P3F
Vulnerability from github – Published: 2022-10-15 12:01 – Updated: 2022-10-19 12:00In cell service, there is a missing permission check. This could lead to local denial of service in cell service with no additional execution privileges needed.
{
"affected": [],
"aliases": [
"CVE-2022-38677"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-14T19:15:00Z",
"severity": "MODERATE"
},
"details": "In cell service, there is a missing permission check. This could lead to local denial of service in cell service with no additional execution privileges needed.",
"id": "GHSA-qrg6-f4g9-6p3f",
"modified": "2022-10-19T12:00:24Z",
"published": "2022-10-15T12:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38677"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1575654905820020738"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRJV-RF5Q-QPXC
Vulnerability from github – Published: 2022-08-06 05:20 – Updated: 2022-08-06 05:20Impact
Untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server.
The root cause of the issue is during dataframe parsing.
Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source.
When Vec::with_capacity fails to allocate, the default Rust allocator will abort the current process, killing all threads. This affects only sync (non-Tokio) implementation. Async version also does not limit memory, but does not use with_capacity, so DoS can happen only when bytes for oversized dataframe or message actually got delivered by the attacker.
This is a security concern for you, if - your server application handles untrusted websocket connections - OR your client application connects to untrusted websocket servers
Patches
The crashes are fixed in version 0.26.5 by imposing default dataframe size limits. Affected users are advised to update to this version.
Note that default memory limits are rather large (100MB dataframes and 200 MB messages), so they can still cause DoS in some environments (i.e. 32-bit). New API has been added to fine tune those limits for specific applications.
Workarounds
- Migrate your project to another, maintained Websocket library like Tungstenite.
- Accept only trusted WebSocket traffic.
- Filter the WebSocket traffic though some kind of proxy that ensures sanity limits on messages.
- Handle process aborts gracefully and limit process memory using OS tools.
Credits
This issue was reported by Evan Richter at ForAllSecure and found with Mayhem and Cargo Fuzz.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "websocket"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.26.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35922"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-06T05:20:00Z",
"nvd_published_at": "2022-08-01T22:15:00Z",
"severity": "HIGH"
},
"details": "## Impact\nUntrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server.\nThe root cause of the issue is during dataframe parsing.\nAffected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source.\nWhen `Vec::with_capacity` fails to allocate, the default Rust allocator will abort the current process, killing all threads. This affects only sync (non-Tokio) implementation. Async version also does not limit memory, but does not use `with_capacity`, so DoS can happen only when bytes for oversized dataframe or message actually got delivered by the attacker.\n\nThis is a security concern for you, if\n- your server application handles untrusted websocket connections\n- OR your client application connects to untrusted websocket servers\n\n## Patches\nThe crashes are fixed in version **0.26.5** by imposing default dataframe size limits.\nAffected users are advised to update to this version.\n\nNote that default memory limits are rather large (100MB dataframes and 200 MB messages), so they can still cause DoS in some environments (i.e. 32-bit). New API has been added to fine tune those limits for specific applications.\n\n### Workarounds\n\n* Migrate your project to another, maintained Websocket library like Tungstenite.\n* Accept only trusted WebSocket traffic.\n* Filter the WebSocket traffic though some kind of proxy that ensures sanity limits on messages.\n* Handle process aborts gracefully and limit process memory using OS tools.\n\n\n## Credits\nThis issue was reported by [Evan Richter](https://github.com/evanrichter) at ForAllSecure and found with [Mayhem](https://forallsecure.com/mayhem-for-code) and [Cargo Fuzz](https://github.com/rust-fuzz/cargo-fuzz).\n",
"id": "GHSA-qrjv-rf5q-qpxc",
"modified": "2022-08-06T05:20:00Z",
"published": "2022-08-06T05:20:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/websockets-rs/rust-websocket/security/advisories/GHSA-qrjv-rf5q-qpxc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35922"
},
{
"type": "WEB",
"url": "https://github.com/websockets-rs/rust-websocket/commit/cbf6e9983e839d2ecad86de8cd1b3f20ed43390b"
},
{
"type": "PACKAGE",
"url": "https://github.com/websockets-rs/rust-websocket"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V2EOOU5OLEHVMKAH6BALQXKDKIZRXCI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYPNCM4H4OFBIZI6XMJ2DUTS54FT2TWP"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0035.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rust-WebSocket memory allocation based on untrusted length"
}
GHSA-QRMC-FJ45-QFC2
Vulnerability from github – Published: 2019-02-07 18:03 – Updated: 2026-01-22 21:48Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
Recommendation
If you're using extend 3.x upgrade to 3.0.2 or later.
If you're using extend 2.x upgrade to 2.0.2 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "extend"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "extend"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.3"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-16492"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:52:44Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Versions of `extend` prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The `extend()` function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nIf you\u0027re using `extend` 3.x upgrade to 3.0.2 or later.\nIf you\u0027re using `extend` 2.x upgrade to 2.0.2 or later.",
"id": "GHSA-qrmc-fj45-qfc2",
"modified": "2026-01-22T21:48:14Z",
"published": "2019-02-07T18:03:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16492"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/6695"
},
{
"type": "WEB",
"url": "https://github.com/justmoon/node-extend/pull/48"
},
{
"type": "WEB",
"url": "https://github.com/justmoon/node-extend/commit/0e68e71d93507fcc391e398bc84abd0666b28190"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/381185"
},
{
"type": "PACKAGE",
"url": "https://github.com/justmoon/node-extend"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Prototype Pollution in extend"
}
GHSA-QRPW-GJVH-X5GM
Vulnerability from github – Published: 2026-05-13 15:30 – Updated: 2026-06-09 02:01Impact
Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag.
Patches
A general-purpose timeout has been added to these endpoints in Nautobot v2.4.33 and v3.1.2, which ensures that the request will fail early with an appropriate message if regular expression evaluation takes more than a short period of time, instead of continuing to execute for an indefinite duration.
Workarounds
No known workaround has been identified at this time.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0a2"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44796"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T15:30:53Z",
"nvd_published_at": "2026-05-28T18:16:33Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nNautobot UI object-bulk-rename endpoints (for example, `/dcim/interfaces/rename/`) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the `find` field in combination with the `use_regex` flag.\n\n### Patches\n\nA general-purpose timeout has been added to these endpoints in Nautobot v2.4.33 and v3.1.2, which ensures that the request will fail early with an appropriate message if regular expression evaluation takes more than a short period of time, instead of continuing to execute for an indefinite duration.\n\n### Workarounds\n\nNo known workaround has been identified at this time.\n\n### References\n\n- 2.4.33 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee\"\u003epatch\u003c/a\u003e)\n- 3.1.2 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd\"\u003epatch\u003c/a\u003e)",
"id": "GHSA-qrpw-gjvh-x5gm",
"modified": "2026-06-09T02:01:07Z",
"published": "2026-05-13T15:30:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44796"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/nautobot/nautobot"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.