Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5425 vulnerabilities reference this CWE, most recent first.

CVE-2024-7708 (GCVE-0-2024-7708)

Vulnerability from cvelistv5 – Published: 2026-07-14 09:01 – Updated: 2026-07-14 12:17
VLAI
Summary
For requests that have a body, but reading the body may end up in reading 0 bytes, there is a buffer leak. This is particularly the case for 100-Continue, but any request where the network is slow can leak.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
Impacted products
Vendor Product Version
Eclipse Foundation Eclipse Jetty Affected: 10.0.7 , < 10.0.23 (semver)
Affected: 11.0.7 , < 11.0.23 (semver)
Create a notification for this product.
Credits
https://github.com/kimmerin https://github.com/pmneo
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7708",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T12:16:59.558842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T12:17:11.635Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "org.eclipse.jetty:jetty-server",
          "product": "Eclipse Jetty",
          "repo": "https://github.com/jetty/jetty.project",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThan": "10.0.23",
              "status": "affected",
              "version": "10.0.7",
              "versionType": "semver"
            },
            {
              "lessThan": "11.0.23",
              "status": "affected",
              "version": "11.0.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "https://github.com/kimmerin"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "https://github.com/pmneo"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "For requests that have a body, but reading the body may end up in reading 0 bytes, there is a buffer leak.\nThis is particularly the case for 100-Continue, but any request where the network is slow can leak."
            }
          ],
          "value": "For requests that have a body, but reading the body may end up in reading 0 bytes, there is a buffer leak.\nThis is particularly the case for 100-Continue, but any request where the network is slow can leak."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T09:01:53.869Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://gitlab.eclipse.org/security/cve-assignment/-/work_items/29"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2024-7708",
    "datePublished": "2026-07-14T09:01:53.869Z",
    "dateReserved": "2024-08-12T16:15:04.741Z",
    "dateUpdated": "2026-07-14T12:17:11.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-7610 (GCVE-0-2024-7610)

Vulnerability from cvelistv5 – Published: 2024-08-08 10:30 – Updated: 2024-08-29 15:05
VLAI
Title
Uncontrolled Resource Consumption in GitLab
Summary
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
References
URL Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/468917 issue-trackingpermissions-required
Impacted products
Vendor Product Version
GitLab GitLab Affected: 15.9 , < 17.0.6 (semver)
Affected: 17.1 , < 17.1.4 (semver)
Affected: 17.2 , < 17.2.2 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
This vulnerability was discovered internally by GitLab team member [Terri Chu](https://gitlab.com/terrichu)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7610",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-08T12:53:54.759743Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-08T12:54:03.483Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "17.0.6",
              "status": "affected",
              "version": "15.9",
              "versionType": "semver"
            },
            {
              "lessThan": "17.1.4",
              "status": "affected",
              "version": "17.1",
              "versionType": "semver"
            },
            {
              "lessThan": "17.2.2",
              "status": "affected",
              "version": "17.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability was discovered internally by GitLab team member [Terri Chu](https://gitlab.com/terrichu)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-29T15:05:01.225Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #468917",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/468917"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 17.2.2, 17.1.4, 17.0.6 or above."
        }
      ],
      "title": "Uncontrolled Resource Consumption in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2024-7610",
    "datePublished": "2024-08-08T10:30:43.133Z",
    "dateReserved": "2024-08-08T10:02:04.174Z",
    "dateUpdated": "2024-08-29T15:05:01.225Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-7592 (GCVE-0-2024-7592)

Vulnerability from cvelistv5 – Published: 2024-08-19 19:06 – Updated: 2025-11-03 22:32
VLAI
Title
Quadratic complexity parsing cookies with backslashes
Summary
There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
PSF
Impacted products
Vendor Product Version
Python Software Foundation CPython Affected: 0 , < 3.8.20 (python)
Affected: 3.9.0 , < 3.9.20 (python)
Affected: 3.10.0 , < 3.10.15 (python)
Affected: 3.11.0 , < 3.11.10 (python)
Affected: 3.12.0 , < 3.12.6 (python)
Affected: 3.13.0a1 , < 3.13.0rc2 (python)
Create a notification for this product.
python cpython Affected: 0 , < 3.8.20 (python)
Affected: 3.9.0 , < 3.9.20 (python)
Affected: 3.10.0 , < 3.10.15 (python)
Affected: 3.11.0 , < 3.11.10 (python)
Affected: 3.12.0 , < 3.12.6 (python)
Affected: 3.13.0a1 , < 3.13.0rc2 (python)
    cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2024-08-16 16:15
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "cpython",
            "vendor": "python",
            "versions": [
              {
                "lessThan": "3.8.20",
                "status": "affected",
                "version": "0",
                "versionType": "python"
              },
              {
                "lessThan": "3.9.20",
                "status": "affected",
                "version": "3.9.0",
                "versionType": "python"
              },
              {
                "lessThan": "3.10.15",
                "status": "affected",
                "version": "3.10.0",
                "versionType": "python"
              },
              {
                "lessThan": "3.11.10",
                "status": "affected",
                "version": "3.11.0",
                "versionType": "python"
              },
              {
                "lessThan": "3.12.6",
                "status": "affected",
                "version": "3.12.0",
                "versionType": "python"
              },
              {
                "lessThan": "3.13.0rc2",
                "status": "affected",
                "version": "3.13.0a1",
                "versionType": "python"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-7592",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T17:21:02.520596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-09T20:53:12.739Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:32:52.863Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241018-0006/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CPython",
          "repo": "https://github.com/python/cpython",
          "vendor": "Python Software Foundation",
          "versions": [
            {
              "lessThan": "3.8.20",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            },
            {
              "lessThan": "3.9.20",
              "status": "affected",
              "version": "3.9.0",
              "versionType": "python"
            },
            {
              "lessThan": "3.10.15",
              "status": "affected",
              "version": "3.10.0",
              "versionType": "python"
            },
            {
              "lessThan": "3.11.10",
              "status": "affected",
              "version": "3.11.0",
              "versionType": "python"
            },
            {
              "lessThan": "3.12.6",
              "status": "affected",
              "version": "3.12.0",
              "versionType": "python"
            },
            {
              "lessThan": "3.13.0rc2",
              "status": "affected",
              "version": "3.13.0a1",
              "versionType": "python"
            }
          ]
        }
      ],
      "datePublic": "2024-08-16T16:15:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere is a LOW severity vulnerability affecting CPython, specifically the\n\u0027\u003ci\u003e\u003cb\u003ehttp.cookies\u003c/b\u003e\u003c/i\u003e\u0027 standard library module.\u003c/p\u003e\n\u003cp\u003eWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "There is a LOW severity vulnerability affecting CPython, specifically the\n\u0027http.cookies\u0027 standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-31T19:55:12.119Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/pull/123075"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/python/cpython/issues/123067"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Quadratic complexity parsing cookies with backslashes",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2024-7592",
    "datePublished": "2024-08-19T19:06:45.311Z",
    "dateReserved": "2024-08-07T15:53:07.135Z",
    "dateUpdated": "2025-11-03T22:32:52.863Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-7567 (GCVE-0-2024-7567)

Vulnerability from cvelistv5 – Published: 2024-08-13 17:51 – Updated: 2024-08-13 18:37
VLAI
Title
Rockwell Automation Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port
Summary
A denial-of-service vulnerability exists via the CIP/Modbus port in the Rockwell Automation Micro850/870 (2080 -L50E/2080 -L70E). If exploited, the CIP/Modbus communication may be disrupted for short duration.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
Rockwell Automation PLC - Micro850/870 (2080 -L50E/2080 -L70E) Affected: v20.011
Create a notification for this product.
rockwellautomation micro850_firmware Affected: 20.011 , < 22.011 (custom)
    cpe:2.3:o:rockwellautomation:micro850_firmware:-:*:*:*:*:*:*:*
Create a notification for this product.
rockwellautomation micro870_firmware Affected: 20.011 , < 22.011 (custom)
    cpe:2.3:o:rockwellautomation:micro870_firmware:-:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2024-08-13 17:47
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:rockwellautomation:micro850_firmware:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "micro850_firmware",
            "vendor": "rockwellautomation",
            "versions": [
              {
                "lessThan": "22.011",
                "status": "affected",
                "version": "20.011",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:rockwellautomation:micro870_firmware:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "micro870_firmware",
            "vendor": "rockwellautomation",
            "versions": [
              {
                "lessThan": "22.011",
                "status": "affected",
                "version": "20.011",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7567",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-13T18:35:00.903567Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-13T18:37:13.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PLC - Micro850/870 (2080 -L50E/2080 -L70E)",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "v20.011"
            }
          ]
        }
      ],
      "datePublic": "2024-08-13T17:47:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA denial-of-service vulnerability exists via the CIP/Modbus port in the Rockwell Automation Micro850/870 (2080 -L50E/2080 -L70E). If exploited, the CIP/Modbus communication may be disrupted for short duration.\u003c/span\u003e"
            }
          ],
          "value": "A denial-of-service vulnerability exists via the CIP/Modbus port in the Rockwell Automation Micro850/870 (2080 -L50E/2080 -L70E). If exploited, the CIP/Modbus communication may be disrupted for short duration."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-124",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-124 Shared Resource Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-13T17:51:45.882Z",
        "orgId": "b73dd486-f505-4403-b634-40b078b177f0",
        "shortName": "Rockwell"
      },
      "references": [
        {
          "url": "https://https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1684.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate to the corrected version:\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ev22.011 or later.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eCustomers using the affected software are encouraged to apply security best practices, if possible.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u00b7 \u0026nbsp; \u0026nbsp; \u0026nbsp; For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight\"\u003esecurity best practices\u003c/a\u003e\u0026nbsp;to minimize the risk of the vulnerability\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "*  Update to the corrected version:\u00a0\n\nv22.011 or later.\u00a0\n\n\n\n\nCustomers using the affected software are encouraged to apply security best practices, if possible.\n\n\n\u00b7 \u00a0 \u00a0 \u00a0 For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested  security best practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight \u00a0to minimize the risk of the vulnerability"
        }
      ],
      "source": {
        "advisory": "SD1684",
        "discovery": "INTERNAL"
      },
      "title": "Rockwell Automation Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0",
    "assignerShortName": "Rockwell",
    "cveId": "CVE-2024-7567",
    "datePublished": "2024-08-13T17:51:45.882Z",
    "dateReserved": "2024-08-06T17:59:43.596Z",
    "dateUpdated": "2024-08-13T18:37:13.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-7294 (GCVE-0-2024-7294)

Vulnerability from cvelistv5 – Published: 2024-10-09 14:45 – Updated: 2024-10-09 16:17
VLAI
Title
Uncontrolled resource consumption of anonymous endpoints
Summary
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.2.24.806 (custom)
Create a notification for this product.
progress telerik_report_server Affected: 1.0.0 , < 10.2.24.806 (custom)
    cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "telerik_report_server",
            "vendor": "progress",
            "versions": [
              {
                "lessThan": "10.2.24.806",
                "status": "affected",
                "version": "1.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7294",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-09T16:14:59.336463Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-09T16:17:21.325Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Telerik Report Server",
          "vendor": "Progress Software Corporation",
          "versions": [
            {
              "lessThan": "10.2.24.806",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting."
            }
          ],
          "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-469",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-469 HTTP DoS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-09T14:45:30.445Z",
        "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "shortName": "ProgressSoftware"
      },
      "references": [
        {
          "url": "https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Uncontrolled resource consumption of anonymous endpoints",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
    "assignerShortName": "ProgressSoftware",
    "cveId": "CVE-2024-7294",
    "datePublished": "2024-10-09T14:45:30.445Z",
    "dateReserved": "2024-07-30T14:58:14.413Z",
    "dateUpdated": "2024-10-09T16:17:21.325Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-7254 (GCVE-0-2024-7254)

Vulnerability from cvelistv5 – Published: 2024-09-19 00:18 – Updated: 2025-09-08 09:37
VLAI
Title
Stack overflow in Protocol Buffers Java Lite
Summary
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-674 - Uncontrolled Recursion
Assigner
Impacted products
Vendor Product Version
Google Protocol Buffers Affected: 0 , < 28.2 (custom)
Create a notification for this product.
Google protobuf-java Affected: 0 , < 3.25.5 (custom)
Affected: 0 , < 4.27.5 (custom)
Affected: 0 , < 4.28.2 (custom)
Create a notification for this product.
Google protobuf-javalite Affected: 0 , < 3.25.5 (custom)
Affected: 0 , < 4.27.5 (custom)
Affected: 0 , < 4.28.2 (custom)
Create a notification for this product.
Google protobuf-kotlin Affected: 0 , < 3.25.5 (custom)
Affected: 0 , < 4.27.5 (custom)
Affected: 0 , < 4.28.2 (custom)
Create a notification for this product.
Google protobuf-kotllin-lite Affected: 0 , < 3.25.5 (custom)
Affected: 0 , < 4.27.5 (custom)
Affected: 0 , < 4.28.2 (custom)
Create a notification for this product.
Google google-protobuf [JRuby Gem] Affected: 0 , < 3.25.5 (custom)
Affected: 0 , < 4.27.5 (custom)
Affected: 0 , < 4.28.2 (custom)
Create a notification for this product.
google protobuf Affected: 0 , < 28.2 (custom)
    cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*
Create a notification for this product.
google protobuf-kotlin-lite Affected: 0 , < 3.25.5 (custom)
Affected: 4.27 , < 4.27.5 (custom)
Affected: 4.28 , < 4.28.2 (custom)
    cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
    cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
    cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
    cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
    cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "protobuf",
            "vendor": "google",
            "versions": [
              {
                "lessThan": "28.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
              "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
              "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
              "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
              "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "protobuf-kotlin-lite",
            "vendor": "google",
            "versions": [
              {
                "lessThan": "3.25.5",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "4.27.5",
                "status": "affected",
                "version": "4.27",
                "versionType": "custom"
              },
              {
                "lessThan": "4.28.2",
                "status": "affected",
                "version": "4.28",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7254",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-19T14:29:43.468555Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-19T14:46:14.517Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-19T00:11:07.841Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Protocol Buffers",
          "repo": "https://github.com/protocolbuffers/protobuf",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
          "defaultStatus": "unaffected",
          "product": "protobuf-java",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "protobuf-javalite",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "protobuf-kotlin",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "protobuf-kotllin-lite",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://rubygems.org/gems/google-protobuf",
          "defaultStatus": "unaffected",
          "product": "google-protobuf [JRuby Gem]",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674 Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-08T09:37:53.702Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Stack overflow in Protocol Buffers Java Lite",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2024-7254",
    "datePublished": "2024-09-19T00:18:45.824Z",
    "dateReserved": "2024-07-29T21:41:56.116Z",
    "dateUpdated": "2025-09-08T09:37:53.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-7036 (GCVE-0-2024-7036)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:09 – Updated: 2025-03-20 18:32
VLAI
Title
Denial of Service in open-webui/open-webui
Summary
A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. This prevents administrators from performing essential user management actions such as deleting, editing, or adding users. The vulnerability can also be exploited by authenticated users with low privileges, leading to the same unresponsive state in the Admin panel.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
open-webui open-webui/open-webui Affected: unspecified , ≤ latest (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7036",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:52:33.988622Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:32:24.973Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui/open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the \u0027name\u0027 field, causing the Admin panel to become unresponsive. This prevents administrators from performing essential user management actions such as deleting, editing, or adding users. The vulnerability can also be exploited by authenticated users with low privileges, leading to the same unresponsive state in the Admin panel."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T10:09:57.731Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/ba62d093-ab27-48fa-9c53-0602c8cdc48a"
        }
      ],
      "source": {
        "advisory": "ba62d093-ab27-48fa-9c53-0602c8cdc48a",
        "discovery": "EXTERNAL"
      },
      "title": "Denial of Service in open-webui/open-webui"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-7036",
    "datePublished": "2025-03-20T10:09:57.731Z",
    "dateReserved": "2024-07-23T17:39:50.638Z",
    "dateUpdated": "2025-03-20T18:32:24.973Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-6838 (GCVE-0-2024-6838)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:09 – Updated: 2025-03-20 14:25
VLAI
Title
Uncontrolled Resource Consumption in mlflow/mlflow
Summary
In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of service. Additionally, there is no character limit in the `artifact_location` parameter while creating the experiment.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
mlflow mlflow/mlflow Affected: unspecified , ≤ latest (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6838",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T14:25:36.315939Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T14:25:56.917Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://huntr.com/bounties/8ad52cb2-2cda-4eb0-aec9-586060ee43e0"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mlflow/mlflow",
          "vendor": "mlflow",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of service. Additionally, there is no character limit in the `artifact_location` parameter while creating the experiment."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T10:09:11.431Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/8ad52cb2-2cda-4eb0-aec9-586060ee43e0"
        }
      ],
      "source": {
        "advisory": "8ad52cb2-2cda-4eb0-aec9-586060ee43e0",
        "discovery": "EXTERNAL"
      },
      "title": "Uncontrolled Resource Consumption in mlflow/mlflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-6838",
    "datePublished": "2025-03-20T10:09:11.431Z",
    "dateReserved": "2024-07-17T17:37:25.971Z",
    "dateUpdated": "2025-03-20T14:25:56.917Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-6762 (GCVE-0-2024-6762)

Vulnerability from cvelistv5 – Published: 2024-10-14 15:07 – Updated: 2025-11-03 19:34
VLAI
Title
Jetty PushSessionCacheFilter can cause remote DoS attacks
Summary
Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
Eclipse Foundation Jetty Affected: 10.0.0 , ≤ 10.0.17 (semver)
Affected: 11.0.0 , ≤ 11.0.17 (semver)
Affected: 12.0.0 , ≤ 12.0.3 (semver)
Create a notification for this product.
Date Public
2024-10-14 15:00
Credits
Lian Kee
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T17:42:42.629742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T17:42:50.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:34:37.967Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2/",
          "defaultStatus": "unaffected",
          "modules": [
            "jetty-servlets"
          ],
          "packageName": "org.eclipse.jetty:jetty-servlets",
          "product": "Jetty",
          "repo": "https://github.com/jetty/jetty.project",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThanOrEqual": "10.0.17",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.0.17",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "12.0.3",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lian Kee"
        }
      ],
      "datePublic": "2024-10-14T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eJetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-14T15:07:10.942Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"
        },
        {
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"
        },
        {
          "url": "https://github.com/jetty/jetty.project/pull/9715"
        },
        {
          "url": "https://github.com/jetty/jetty.project/pull/9716"
        },
        {
          "url": "https://github.com/jetty/jetty.project/pull/10756"
        },
        {
          "url": "https://github.com/jetty/jetty.project/pull/10755"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Jetty  PushSessionCacheFilter can cause remote DoS attacks",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003enot using the PushCacheFilter.  Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\u003c/li\u003e\n\u003cli\u003ereducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\u003c/li\u003e\n\u003cli\u003econfiguring a session cache to use \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://jetty.org/docs/jetty/12/programming-guide/server/session.html\"\u003esession passivation\u003c/a\u003e,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.\u003c/li\u003e\n\u003c/ul\u003e"
            }
          ],
          "value": "The session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\n\n\n\n  *  not using the PushCacheFilter.  Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\n\n  *  reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n\n  *  configuring a session cache to use  session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2024-6762",
    "datePublished": "2024-10-14T15:07:10.942Z",
    "dateReserved": "2024-07-15T17:35:50.791Z",
    "dateUpdated": "2025-11-03T19:34:37.967Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-6501 (GCVE-0-2024-6501)

Vulnerability from cvelistv5 – Published: 2024-07-09 19:27 – Updated: 2025-11-21 07:06
VLAI
Title
Networkmanager: denial of service
Summary
A flaw was found in NetworkManager. When a system running NetworkManager with DEBUG logs enabled and an interface eth1 configured with LLDP enabled, a malicious user could inject a malformed LLDP packet. NetworkManager would crash, leading to a denial of service.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
References
URL Tags
https://access.redhat.com/errata/RHSA-2024:9317 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-6501 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2295734 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Affected: 1.40 , < 1.48.10-2 (semver)
Red Hat Red Hat Enterprise Linux 9 Unaffected: 1:1.48.10-2.el9_5 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9::appstream
    cpe:/o:redhat:enterprise_linux:9::baseos
    cpe:/a:redhat:enterprise_linux:9::crb
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
Create a notification for this product.
Date Public
2024-07-04 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6501",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-10T20:36:57.290190Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-10T20:37:06.892Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:41:03.482Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-6501"
          },
          {
            "name": "RHBZ#2295734",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295734"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/NetworkManager/NetworkManager",
          "defaultStatus": "unaffected",
          "packageName": "NetworkManager",
          "versions": [
            {
              "lessThan": "1.48.10-2",
              "status": "affected",
              "version": "1.40",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos",
            "cpe:/a:redhat:enterprise_linux:9::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "NetworkManager",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:1.48.10-2.el9_5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos",
            "cpe:/a:redhat:enterprise_linux:9::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "NetworkManager",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:1.48.10-2.el9_5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "NetworkManager",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "NetworkManager",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "NetworkManager",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "NetworkManager",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-07-04T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in NetworkManager. When a system running NetworkManager with DEBUG logs enabled and an interface eth1 configured with LLDP enabled, a malicious user could inject a malformed LLDP packet. NetworkManager would crash, leading to a denial of service."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-21T07:06:19.932Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:9317",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:9317"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-6501"
        },
        {
          "name": "RHBZ#2295734",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295734"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-07-04T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-07-04T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Networkmanager: denial of service",
      "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-6501",
    "datePublished": "2024-07-09T19:27:11.133Z",
    "dateReserved": "2024-07-04T05:13:32.680Z",
    "dateUpdated": "2025-11-21T07:06:19.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.