CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
CVE-2025-4215 (GCVE-0-2025-4215)
Vulnerability from cvelistv5 – Published: 2025-05-02 20:31 – Updated: 2025-06-12 00:12| URL | Tags |
|---|---|
| https://vuldb.com/?id.307194 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.307194 | signaturepermissions-required |
| https://vuldb.com/?submit.562301 | third-party-advisory |
| https://github.com/gorhill/uBlock/commit/eaedaf5b… | patch |
| https://github.com/gorhill/uBlock/releases/tag/1.… | patch |
| https://lists.debian.org/debian-lts-announce/2025… |
| Vendor | Product | Version | |
|---|---|---|---|
| gorhill | uBlock Origin |
Affected:
1.63.3b16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T14:55:50.256204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T14:56:03.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-12T00:12:13.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"UI"
],
"product": "uBlock Origin",
"vendor": "gorhill",
"versions": [
{
"status": "affected",
"version": "1.63.3b16"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in gorhill uBlock Origin bis 1.63.3b16 ausgemacht. Betroffen hiervon ist die Funktion currentStateChanged der Datei src/js/1p-filters.js der Komponente UI. Durch Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.63.3b17 vermag dieses Problem zu l\u00f6sen. Der Patch wird als eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T20:31:05.334Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307194 | gorhill uBlock Origin UI 1p-filters.js currentStateChanged redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.307194"
},
{
"name": "VDB-307194 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307194"
},
{
"name": "Submit #562301 | uBlock @gorhill/ubo-core \u003e=npm_0.1.11 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.562301"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gorhill/uBlock/releases/tag/1.63.3b17"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-02T14:58:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "gorhill uBlock Origin UI 1p-filters.js currentStateChanged redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4215",
"datePublished": "2025-05-02T20:31:05.334Z",
"dateReserved": "2025-05-02T12:51:52.695Z",
"dateUpdated": "2025-06-12T00:12:13.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4001 (GCVE-0-2025-4001)
Vulnerability from cvelistv5 – Published: 2025-04-28 04:31 – Updated: 2025-04-28 14:23| URL | Tags |
|---|---|
| https://vuldb.com/?id.306337 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.306337 | signaturepermissions-required |
| https://vuldb.com/?submit.558121 | third-party-advisory |
| https://github.com/scipopt/scip/issues/130 | issue-tracking |
| https://github.com/scipopt/scip/issues/130#issuec… | issue-tracking |
| https://github.com/scipopt/scip/commit/d6da63b941… | patch |
| https://github.com/scipopt/scip/releases/tag/v922 | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T14:23:19.532792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T14:23:32.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Descriptor Handler"
],
"product": "scip",
"vendor": "scipopt",
"versions": [
{
"status": "affected",
"version": "9.2.0"
},
{
"status": "affected",
"version": "9.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "micromilo (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in scipopt scip up to 9.2.1 and classified as problematic. Affected by this vulnerability is the function main of the file examples/LOP/src/genRandomLOPInstance.c of the component File Descriptor Handler. The manipulation of the argument File leads to uncontrolled file descriptor consumption. Local access is required to approach this attack. Upgrading to version 9.2.2 is able to address this issue. The identifier of the patch is d6da63b941216d75fbc1aefea9abf1de6712a2d0. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "In scipopt scip bis 9.2.1 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Betroffen ist die Funktion main der Datei examples/LOP/src/genRandomLOPInstance.c der Komponente File Descriptor Handler. Durch das Beeinflussen des Arguments File mit unbekannten Daten kann eine uncontrolled file descriptor consumption-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Ein Aktualisieren auf die Version 9.2.2 vermag dieses Problem zu l\u00f6sen. Der Patch wird als d6da63b941216d75fbc1aefea9abf1de6712a2d0 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-769",
"description": "Uncontrolled File Descriptor Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T04:31:05.040Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306337 | scipopt scip File Descriptor genRandomLOPInstance.c main file descriptor consumption",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306337"
},
{
"name": "VDB-306337 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306337"
},
{
"name": "Submit #558121 | scipopt scip v.9.2.1 Missing Release of File Descriptor or Handle after Effective Lif",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.558121"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/scipopt/scip/issues/130"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/scipopt/scip/issues/130#issuecomment-2697893742"
},
{
"tags": [
"patch"
],
"url": "https://github.com/scipopt/scip/commit/d6da63b941216d75fbc1aefea9abf1de6712a2d0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/scipopt/scip/releases/tag/v922"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-26T10:32:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "scipopt scip File Descriptor genRandomLOPInstance.c main file descriptor consumption"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4001",
"datePublished": "2025-04-28T04:31:05.040Z",
"dateReserved": "2025-04-26T08:26:58.124Z",
"dateUpdated": "2025-04-28T14:23:32.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3986 (GCVE-0-2025-3986)
Vulnerability from cvelistv5 – Published: 2025-04-27 21:00 – Updated: 2025-04-28 17:38| URL | Tags |
|---|---|
| https://vuldb.com/?id.306322 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.306322 | signaturepermissions-required |
| https://vuldb.com/?submit.557473 | third-party-advisory |
| https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T17:34:50.472484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T17:38:45.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "5.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\\core\\cas-server-core-configuration-metadata-repository\\src\\main\\java\\org\\apereo\\cas\\metadata\\rest\\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Apereo CAS 5.2.6 wurde eine Schwachstelle ausgemacht. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei cas-5.2.6\\core\\cas-server-core-configuration-metadata-repository\\src\\main\\java\\org\\apereo\\cas\\metadata\\rest\\CasConfigurationMetadataServerController.java. Mittels dem Manipulieren des Arguments Name mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-27T21:00:07.694Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306322 | Apereo CAS CasConfigurationMetadataServerController.java redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306322"
},
{
"name": "VDB-306322 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306322"
},
{
"name": "Submit #557473 | Apereo CAS v5.2.6 ReDos Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.557473"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-26T10:12:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS CasConfigurationMetadataServerController.java redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3986",
"datePublished": "2025-04-27T21:00:07.694Z",
"dateReserved": "2025-04-26T08:07:08.619Z",
"dateUpdated": "2025-04-28T17:38:45.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3985 (GCVE-0-2025-3985)
Vulnerability from cvelistv5 – Published: 2025-04-27 20:31 – Updated: 2025-04-28 18:09| URL | Tags |
|---|---|
| https://vuldb.com/?id.306321 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.306321 | signaturepermissions-required |
| https://vuldb.com/?submit.557110 | third-party-advisory |
| https://wx.mail.qq.com/s?k=lzDuxVkSRXUZ0bwZEG | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T18:02:23.445535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T18:09:01.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "5.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Apereo CAS 5.2.6 ausgemacht. Sie wurde als problematisch eingestuft. Hiervon betroffen ist die Funktion ResponseEntity der Datei cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\ManageRegisteredServicesMultiActionController.java. Durch Manipulation des Arguments Query mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-27T20:31:06.556Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306321 | Apereo CAS ResponseEntity redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306321"
},
{
"name": "VDB-306321 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306321"
},
{
"name": "Submit #557110 | Apereo CAS v5.2.6 ReDos regular expression engine denial of service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.557110"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=lzDuxVkSRXUZ0bwZEG"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-26T10:12:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS ResponseEntity redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3985",
"datePublished": "2025-04-27T20:31:06.556Z",
"dateReserved": "2025-04-26T08:07:05.931Z",
"dateUpdated": "2025-04-28T18:09:01.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3602 (GCVE-0-2025-3602)
Vulnerability from cvelistv5 – Published: 2025-06-16 13:50 – Updated: 2025-06-16 14:30- CWE-400 - Uncontrolled Resource Consumption
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T14:29:39.685110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T14:30:21.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.97",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "dxp-20",
"status": "affected",
"version": "7.2.10-dxp-8",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-u35",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.2",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries."
}
],
"value": "Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T13:50:04.254Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3602"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2025-3602",
"datePublished": "2025-06-16T13:50:04.254Z",
"dateReserved": "2025-04-14T18:17:40.151Z",
"dateUpdated": "2025-06-16T14:30:21.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3526 (GCVE-0-2025-3526)
Vulnerability from cvelistv5 – Published: 2025-06-16 14:18 – Updated: 2025-06-16 14:41- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| Liferay | Portal |
Affected:
7.0.0 , ≤ 7.4.3.21
(maven)
|
|
| Liferay | DXP |
Affected:
6.2.0 , ≤ portal-173
(maven)
Affected: 7.0.10 , ≤ de-102 (maven) Affected: 7.1.10 , ≤ dxp-28 (maven) Affected: 7.2.10 , ≤ dxp-20 (maven) Affected: 7.3.10 , ≤ 7.3.10-u25 (maven) Affected: 7.4.13 , ≤ 7.4.13-u9 (maven) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T14:41:05.877240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T14:41:32.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.21",
"status": "affected",
"version": "7.0.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "portal-173",
"status": "affected",
"version": "6.2.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "de-102",
"status": "affected",
"version": "7.0.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "dxp-28",
"status": "affected",
"version": "7.1.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "dxp-20",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-u25",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u9",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests."
}
],
"value": "SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T14:18:34.913Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2025-3526",
"datePublished": "2025-06-16T14:18:34.913Z",
"dateReserved": "2025-04-11T16:45:45.148Z",
"dateUpdated": "2025-06-16T14:41:32.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3112 (GCVE-0-2025-3112)
Vulnerability from cvelistv5 – Published: 2025-06-10 08:28 – Updated: 2025-06-10 14:24- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | Modicon Controllers M241/M251 |
Affected:
Versions prior to 5.3.12.51
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:24:24.900130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:24:46.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Modicon Controllers M241/M251",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to 5.3.12.51"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause Denial of Service when an\nauthenticated malicious user sends manipulated HTTPS Content-Length header to the webserver.\n\n\n\n \n\n\u003cbr\u003e"
}
],
"value": "CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause Denial of Service when an\nauthenticated malicious user sends manipulated HTTPS Content-Length header to the webserver."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T08:28:31.391Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-161-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-161-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-3112",
"datePublished": "2025-06-10T08:28:31.391Z",
"dateReserved": "2025-04-02T09:53:20.251Z",
"dateUpdated": "2025-06-10T14:24:46.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3016 (GCVE-0-2025-3016)
Vulnerability from cvelistv5 – Published: 2025-03-31 21:00 – Updated: 2025-03-31 21:19| URL | Tags |
|---|---|
| https://vuldb.com/?id.302068 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.302068 | signaturepermissions-required |
| https://vuldb.com/?submit.524593 | third-party-advisory |
| https://github.com/assimp/assimp/issues/6022 | issue-tracking |
| https://github.com/assimp/assimp/pull/6046 | issue-tracking |
| https://github.com/assimp/assimp/commit/5d2a74823… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| Open Asset Import Library | Assimp |
Affected:
5.4.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3016",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T21:19:23.311285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:19:54.032Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/assimp/assimp/issues/6022"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"MDL File Handler"
],
"product": "Assimp",
"vendor": "Open Asset Import Library",
"versions": [
{
"status": "affected",
"version": "5.4.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "d3ng03 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function Assimp::MDLImporter::ParseTextureColorData of the file code/AssetLib/MDL/MDLMaterialLoader.cpp of the component MDL File Handler. The manipulation of the argument mWidth/mHeight leads to resource consumption. The attack can be initiated remotely. Upgrading to version 6.0 is able to address this issue. The name of the patch is 5d2a7482312db2e866439a8c05a07ce1e718bed1. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "In Open Asset Import Library Assimp 5.4.3 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Dabei geht es um die Funktion Assimp::MDLImporter::ParseTextureColorData der Datei code/AssetLib/MDL/MDLMaterialLoader.cpp der Komponente MDL File Handler. Durch Manipulieren des Arguments mWidth/mHeight mit unbekannten Daten kann eine resource consumption-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Ein Aktualisieren auf die Version 6.0 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 5d2a7482312db2e866439a8c05a07ce1e718bed1 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:00:10.538Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-302068 | Open Asset Import Library Assimp MDL File MDLMaterialLoader.cpp ParseTextureColorData resource consumption",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.302068"
},
{
"name": "VDB-302068 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.302068"
},
{
"name": "Submit #524593 | Open Asset Import Library Assimp \u003e=5.4.3 Uncontrolled Memory Allocation",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.524593"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/assimp/assimp/issues/6022"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/assimp/assimp/pull/6046"
},
{
"tags": [
"patch"
],
"url": "https://github.com/assimp/assimp/commit/5d2a7482312db2e866439a8c05a07ce1e718bed1"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-31T07:43:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open Asset Import Library Assimp MDL File MDLMaterialLoader.cpp ParseTextureColorData resource consumption"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3016",
"datePublished": "2025-03-31T21:00:10.538Z",
"dateReserved": "2025-03-31T05:37:57.633Z",
"dateUpdated": "2025-03-31T21:19:54.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2833 (GCVE-0-2025-2833)
Vulnerability from cvelistv5 – Published: 2025-03-27 04:00 – Updated: 2025-03-27 13:41| URL | Tags |
|---|---|
| https://vuldb.com/?id.301470 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.301470 | signaturepermissions-required |
| https://vuldb.com/?submit.521813 | third-party-advisory |
| https://github.com/zhangyd-c/OneBlog/issues/35 | issue-tracking |
| https://github.com/zhangyd-c/OneBlog/issues/35#is… | exploitissue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2833",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:41:44.373363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T13:41:47.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/zhangyd-c/OneBlog/issues/35#issue-2914268214"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/zhangyd-c/OneBlog/issues/35"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP Header Handler"
],
"product": "OneBlog",
"vendor": "zhangyd-c",
"versions": [
{
"status": "affected",
"version": "2.3.0"
},
{
"status": "affected",
"version": "2.3.1"
},
{
"status": "affected",
"version": "2.3.2"
},
{
"status": "affected",
"version": "2.3.3"
},
{
"status": "affected",
"version": "2.3.4"
},
{
"status": "affected",
"version": "2.3.5"
},
{
"status": "affected",
"version": "2.3.6"
},
{
"status": "affected",
"version": "2.3.7"
},
{
"status": "affected",
"version": "2.3.8"
},
{
"status": "affected",
"version": "2.3.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "s1mple_xy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been classified as problematic. Affected is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in zhangyd-c OneBlog bis 2.3.9 ausgemacht. Es betrifft eine unbekannte Funktion der Komponente HTTP Header Handler. Durch Manipulation des Arguments X-Forwarded-For mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T04:00:05.554Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-301470 | zhangyd-c OneBlog HTTP Header redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.301470"
},
{
"name": "VDB-301470 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.301470"
},
{
"name": "Submit #521813 | https://github.com/zhangyd-c/OneBlog oneblog 2.3.9 redos",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.521813"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/zhangyd-c/OneBlog/issues/35"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zhangyd-c/OneBlog/issues/35#issue-2914268214"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-26T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-26T21:34:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhangyd-c OneBlog HTTP Header redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2833",
"datePublished": "2025-03-27T04:00:05.554Z",
"dateReserved": "2025-03-26T20:29:38.451Z",
"dateUpdated": "2025-03-27T13:41:47.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2820 (GCVE-0-2025-2820)
Vulnerability from cvelistv5 – Published: 2025-03-26 14:58 – Updated: 2025-03-26 15:17- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| Bizerba SE & Co. KG | Product family GLx and CWx |
Affected:
0.0 , < 16.20
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2820",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:17:09.360360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:17:18.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Product family GLx and CWx",
"vendor": "Bizerba SE \u0026 Co. KG",
"versions": [
{
"lessThan": "16.20",
"status": "affected",
"version": "0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated attacker can compromise the availability of the device via the network"
}
],
"value": "An authenticated attacker can compromise the availability of the device via the network"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T14:58:09.132Z",
"orgId": "0beee27a-7d8c-424f-8e46-ac453fa147e6",
"shortName": "bizerba"
},
"references": [
{
"url": "https://www.bizerba.com/downloads/global/information-security/2025/bizerba-sa-2025-0002.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to the current Version of the device firmware\n\n\u003cbr\u003e"
}
],
"value": "Update to the current Version of the device firmware"
}
],
"source": {
"advisory": "BIZERBA-SA-2025-0002",
"discovery": "UNKNOWN"
},
"title": "Denial of Service",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ePrevent access for unauthorized Persons for FTP and SFTP\u003c/span\u003e\u003c/li\u003e\u003cli\u003eDisable FTP and SFTP\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "* Prevent access for unauthorized Persons for FTP and SFTP\n * Disable FTP and SFTP"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0beee27a-7d8c-424f-8e46-ac453fa147e6",
"assignerShortName": "bizerba",
"cveId": "CVE-2025-2820",
"datePublished": "2025-03-26T14:58:09.132Z",
"dateReserved": "2025-03-26T14:52:26.131Z",
"dateUpdated": "2025-03-26T15:17:18.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.