CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5425 vulnerabilities reference this CWE, most recent first.
CVE-2024-0348 (GCVE-0-2024-0348)
Vulnerability from cvelistv5 – Published: 2024-01-09 22:00 – Updated: 2025-06-17 20:39- CWE-400 - Resource Consumption
| URL | Tags |
|---|---|
| https://vuldb.com/?id.250116 | vdb-entry |
| https://vuldb.com/?ctiid.250116 | signaturepermissions-required |
| https://mega.nz/file/HNkn2QbI#EjefwKgFoAjtWcxrQFM… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Engineers Online Portal |
Affected:
1.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://vuldb.com/?id.250116"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.250116"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://mega.nz/file/HNkn2QbI#EjefwKgFoAjtWcxrQFMgBfhVQ1LAf2hq7Jg-nDsE-P4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0348",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-10T18:08:54.288684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:39:19.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Upload Handler"
],
"product": "Engineers Online Portal",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "ahmed8199 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been classified as problematic. Affected is an unknown function of the component File Upload Handler. The manipulation leads to resource consumption. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250116."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in SourceCodester Engineers Online Portal 1.0 ausgemacht. Hiervon betroffen ist ein unbekannter Codeblock der Komponente File Upload Handler. Durch das Beeinflussen mit unbekannten Daten kann eine resource consumption-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T22:00:04.969Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.250116"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.250116"
},
{
"tags": [
"exploit"
],
"url": "https://mega.nz/file/HNkn2QbI#EjefwKgFoAjtWcxrQFMgBfhVQ1LAf2hq7Jg-nDsE-P4"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-01-09T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-09T15:19:08.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Engineers Online Portal File Upload resource consumption"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-0348",
"datePublished": "2024-01-09T22:00:04.969Z",
"dateReserved": "2024-01-09T14:13:44.911Z",
"dateUpdated": "2025-06-17T20:39:19.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0241 (GCVE-0-2024-0241)
Vulnerability from cvelistv5 – Published: 2024-01-04 20:48 – Updated: 2026-07-14 22:54- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://github.com/stevegeek/encoded_id-rails/sec… | vendor-advisory |
| https://github.com/stevegeek/encoded_id-rails/com… | patch |
| https://github.com/advisories/GHSA-3px7-jm2p-6h2c | vendor-advisory |
| https://vulncheck.com/advisories/vc-advisory-GHSA… | third-party-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T17:41:16.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/stevegeek/encoded_id-rails/security/advisories/GHSA-3px7-jm2p-6h2c"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/stevegeek/encoded_id-rails/commit/afa495a77b8a21ad582611f9cdc2081dc4018b91"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-3px7-jm2p-6h2c"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-3px7-jm2p-6h2c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-0241",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-05T20:45:06.578790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T15:43:39.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://rubygems.org",
"defaultStatus": "unaffected",
"packageName": "encoded_id-rails",
"packageURL": "pkg:gem/encoded_id-rails",
"versions": [
{
"lessThan": "1.0.0.beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eencoded_id-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sending an HTTP request with an extremely long \"id\" parameter.\u003c/p\u003e"
}
],
"value": "encoded_id-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sending an HTTP request with an extremely long \"id\" parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T22:54:31.652Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/stevegeek/encoded_id-rails/security/advisories/GHSA-3px7-jm2p-6h2c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/stevegeek/encoded_id-rails/commit/afa495a77b8a21ad582611f9cdc2081dc4018b91"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-3px7-jm2p-6h2c"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-3px7-jm2p-6h2c"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "encoded_id-rails Denial of Service Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2024-0241",
"datePublished": "2024-01-04T20:48:00.606Z",
"dateReserved": "2024-01-04T18:44:55.210Z",
"dateUpdated": "2026-07-14T22:54:31.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0157 (GCVE-0-2024-0157)
Vulnerability from cvelistv5 – Published: 2024-04-12 16:59 – Updated: 2024-08-01 17:41- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-nz/00022407… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Dell Storage Resource Manager |
Affected:
N/A , < 5.0.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0157",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-12T19:06:02.770794Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:53.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T17:41:15.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-nz/000224070/dsa-2024-143-dell-storage-resource-manager-srm-and-dell-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dell Storage Resource Manager",
"vendor": "Dell",
"versions": [
{
"lessThan": "5.0.0.0",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-04-11T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell Storage Resource Manager, 4.9.0.0 and below, contain(s) a Session Fixation Vulnerability in SRM Windows Host Agent. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to the hijack of a targeted user\u0027s application session."
}
],
"value": "Dell Storage Resource Manager, 4.9.0.0 and below, contain(s) a Session Fixation Vulnerability in SRM Windows Host Agent. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to the hijack of a targeted user\u0027s application session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-12T16:59:51.179Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-nz/000224070/dsa-2024-143-dell-storage-resource-manager-srm-and-dell-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2024-0157",
"datePublished": "2024-04-12T16:59:51.179Z",
"dateReserved": "2023-12-14T05:30:34.173Z",
"dateUpdated": "2024-08-01T17:41:15.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0115 (GCVE-0-2024-0115)
Vulnerability from cvelistv5 – Published: 2024-08-09 02:23 – Updated: 2024-08-09 17:16- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| NVIDIA | NVIDIA CV-CUDA |
Affected:
v0.1.x - v0.9.x
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T17:15:57.600210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T17:16:21.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Ubuntu 20.04",
"Ubuntu 22.04",
"Jetpack"
],
"product": "NVIDIA CV-CUDA",
"vendor": "NVIDIA",
"versions": [
{
"status": "affected",
"version": "v0.1.x - v0.9.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNVIDIA CV-CUDA for Ubuntu 20.04, Ubuntu 22.04, and Jetpack contains a vulnerability in Python APIs where a user may cause an uncontrolled resource consumption issue by a long running CV-CUDA Python process. A successful exploit of this vulnerability may lead to denial of service and data loss.\u003c/span\u003e"
}
],
"value": "NVIDIA CV-CUDA for Ubuntu 20.04, Ubuntu 22.04, and Jetpack contains a vulnerability in Python APIs where a user may cause an uncontrolled resource consumption issue by a long running CV-CUDA Python process. A successful exploit of this vulnerability may lead to denial of service and data loss."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of service, data loss"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T02:23:48.661Z",
"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
"shortName": "nvidia"
},
"references": [
{
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5560"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
"assignerShortName": "nvidia",
"cveId": "CVE-2024-0115",
"datePublished": "2024-08-09T02:23:48.661Z",
"dateReserved": "2023-12-02T00:42:26.032Z",
"dateUpdated": "2024-08-09T17:16:21.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-54365 (GCVE-0-2023-54365)
Vulnerability from cvelistv5 – Published: 2026-06-23 12:12 – Updated: 2026-07-15 01:27| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | vendor-advisory |
| https://www.vulncheck.com/advisories/traefik-deni… | third-party-advisory |
| https://access.redhat.com/security/cve/CVE-2023-54365 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491710 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| Traefik | Traefik |
Affected:
0 , < 2.10.5
(semver)
Unaffected: 2.10.5 (semver) |
|
| Traefik | Traefik |
Affected:
3.0.0-beta1 , < 3.0.0-beta4
(semver)
Unaffected: 3.0.0-beta4 (semver) |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-54365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T18:13:32.219989Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:13:51.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-rhel9-operator",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/rhai-cli-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "unaffected",
"packageName": "devspaces/traefik-rhel9",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T12:12:51.853Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik\u0027s HTTP/2 request handling. A remote attacker can exploit this vulnerability by rapidly creating and canceling HTTP/2 streams. This can exhaust server resources, leading to a denial of service (DoS) and making the service unavailable to legitimate users. This issue is inherited from the Go standard library\u0027s HTTP/2 implementation, known as the \u0027Rapid Reset\u0027 technique."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T01:27:56.273Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-54365"
},
{
"name": "RHBZ#2491710",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491710"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2023/cve-2023-54365.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T13:01:50.400Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T12:12:51.853Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/github.com/traefik/traefik",
"product": "Traefik",
"vendor": "Traefik",
"versions": [
{
"lessThan": "2.10.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.10.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/github.com/traefik/traefik",
"product": "Traefik",
"vendor": "Traefik",
"versions": [
{
"lessThan": "3.0.0-beta4",
"status": "affected",
"version": "3.0.0-beta1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.0.0-beta4",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:traefik:traefik_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.21.3, 1.20.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:traefik:traefik_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.10.5, v3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library\u0027s HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the \u0027Rapid Reset\u0027 technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:12:51.853Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-7v4p-328v-8v5g)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-7v4p-328v-8v5g"
},
{
"name": "VulnCheck Advisory: Traefik - Denial of Service via HTTP/2 Request Handling",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/traefik-denial-of-service-via-http-2-request-handling"
}
],
"title": "Traefik - Denial of Service via HTTP/2 Request Handling",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-54365",
"datePublished": "2026-06-23T12:12:51.853Z",
"dateReserved": "2026-06-22T21:54:30.246Z",
"dateUpdated": "2026-07-15T01:27:56.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53873 (GCVE-0-2023-53873)
Vulnerability from cvelistv5 – Published: 2025-12-15 20:28 – Updated: 2026-04-07 14:06- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/51725 | exploit |
| https://www.syncbreeze.com/ | product |
| https://www.vulncheck.com/advisories/syncbreeze-d… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Syncbreeze | SyncBreeze |
Affected:
15.2.24
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T21:41:03.786686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T21:48:06.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SyncBreeze",
"vendor": "Syncbreeze",
"versions": [
{
"status": "affected",
"version": "15.2.24"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:flexense:syncbreeze:15.2.24:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mohamed youssef"
}
],
"datePublic": "2023-09-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SyncBreeze 15.2.24 contains a denial of service vulnerability in the login authentication mechanism that allows attackers to crash the service. Attackers can send an oversized password parameter with repeated \u0027password=\u0027 values to overwhelm the login endpoint and potentially disrupt service availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:06:59.674Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51725",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51725"
},
{
"name": "SyncBreeze Product Webpage",
"tags": [
"product"
],
"url": "https://www.syncbreeze.com/"
},
{
"name": "VulnCheck Advisory: SyncBreeze 15.2.24 Denial of Service via Login Endpoint Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/syncbreeze-denial-of-service-via-login-endpoint-overflow"
}
],
"title": "SyncBreeze 15.2.24 Denial of Service via Login Endpoint Overflow",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53873",
"datePublished": "2025-12-15T20:28:15.637Z",
"dateReserved": "2025-12-13T14:25:04.998Z",
"dateUpdated": "2026-04-07T14:06:59.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52098 (GCVE-0-2023-52098)
Vulnerability from cvelistv5 – Published: 2024-01-16 09:08 – Updated: 2025-06-11 16:55{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://consumer.huawei.com/en/support/bulletin/2024/1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202401-0000001799925977"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:18:04.751382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T16:55:34.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HarmonyOS",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "4.0.0"
},
{
"status": "affected",
"version": "3.1.0"
},
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "2.1.0"
},
{
"status": "affected",
"version": "2.0.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EMUI",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "13.0.0"
},
{
"status": "affected",
"version": "12.0.0"
},
{
"status": "affected",
"version": "11.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Denial of Service (DoS) vulnerability in the DMS module. Successful exploitation of this vulnerability will affect availability."
}
],
"value": "Denial of Service (DoS) vulnerability in the DMS module. Successful exploitation of this vulnerability will affect availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T09:08:10.154Z",
"orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"shortName": "huawei"
},
"references": [
{
"url": "https://consumer.huawei.com/en/support/bulletin/2024/1/"
},
{
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202401-0000001799925977"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"assignerShortName": "huawei",
"cveId": "CVE-2023-52098",
"datePublished": "2024-01-16T09:08:10.154Z",
"dateReserved": "2023-12-27T02:33:15.060Z",
"dateUpdated": "2025-06-11T16:55:34.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50730 (GCVE-0-2023-50730)
Vulnerability from cvelistv5 – Published: 2023-12-22 20:36 – Updated: 2024-08-02 22:16| URL | Tags |
|---|---|
| https://github.com/typelevel/grackle/security/adv… | x_refsource_CONFIRM |
| https://github.com/typelevel/grackle/commit/56e24… | x_refsource_MISC |
| https://github.com/typelevel/grackle/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8"
},
{
"name": "https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd"
},
{
"name": "https://github.com/typelevel/grackle/releases/tag/v0.18.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/typelevel/grackle/releases/tag/v0.18.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grackle",
"vendor": "typelevel",
"versions": [
{
"status": "affected",
"version": "\u003c 0.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack. The GraphQL specification requires that GraphQL fragments must not form cycles, either directly or indirectly. Prior to Grackle version 0.18.0, that requirement wasn\u0027t checked, and queries with cyclic fragments would have been accepted for type checking and compilation. The attempted compilation of such fragments would result in a JVM `StackOverflowError` being thrown. Some knowledge of an applications GraphQL schema would be required to construct such a query, however no knowledge of any application-specific performance or other behavioural characteristics would be needed.\n\nGrackle uses the cats-parse library for parsing GraphQL queries. Prior to version 0.18.0, Grackle made use of the cats-parse `recursive` operator. However, `recursive` is not currently stack safe. `recursive` was used in three places in the parser: nested selection sets, nested input values (lists and objects), and nested list type declarations. Consequently, queries with deeply nested selection sets, input values or list types could be constructed which exploited this, causing a JVM `StackOverflowException` to be thrown during parsing. Because this happens very early in query processing, no specific knowledge of an applications GraphQL schema would be required to construct such a query.\n\nThe possibility of small queries resulting in stack overflow is a potential denial of service vulnerability. This potentially affects all applications using Grackle which have untrusted users. Both stack overflow issues have been resolved in the v0.18.0 release of Grackle. As a workaround, users could interpose a sanitizing layer in between untrusted input and Grackle query processing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T20:36:11.402Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8"
},
{
"name": "https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd"
},
{
"name": "https://github.com/typelevel/grackle/releases/tag/v0.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/grackle/releases/tag/v0.18.0"
}
],
"source": {
"advisory": "GHSA-g56x-7j6w-g8r8",
"discovery": "UNKNOWN"
},
"title": "Grackle has StackOverflowError in GraphQL query processing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50730",
"datePublished": "2023-12-22T20:36:11.402Z",
"dateReserved": "2023-12-11T17:53:36.032Z",
"dateUpdated": "2024-08-02T22:16:47.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50707 (GCVE-0-2023-50707)
Vulnerability from cvelistv5 – Published: 2023-12-19 23:18 – Updated: 2024-08-02 22:16- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BCU 500",
"vendor": "EFACEC",
"versions": [
{
"status": "affected",
"version": "version 4.07"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aar\u00f3n Flecha Men\u00e9ndez of S21sec "
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThrough the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.\u003c/p\u003e\u003cbr\u003e\n\n"
}
],
"value": "\nThrough the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.\n\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-19T23:18:26.771Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eEFACEC released BCU 500 versions 4.08 to mitigate this vulnerability.\u003c/p\u003e\u003cp\u003eFor more information, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.efacec.pt/en/contacts/\"\u003eEFACEC support\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nEFACEC released BCU 500 versions 4.08 to mitigate this vulnerability.\n\nFor more information, contact EFACEC support https://www.efacec.pt/en/contacts/ .\n\n\n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Uncontrolled Resource Consumption in EFACEC BCU 500",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-50707",
"datePublished": "2023-12-19T23:18:26.771Z",
"dateReserved": "2023-12-11T16:37:13.794Z",
"dateUpdated": "2024-08-02T22:16:47.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50249 (GCVE-0-2023-50249)
Vulnerability from cvelistv5 – Published: 2023-12-20 13:53 – Updated: 2024-08-02 22:09- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://github.com/getsentry/sentry-javascript/se… | x_refsource_CONFIRM |
| https://github.com/getsentry/sentry-javascript/pu… | x_refsource_MISC |
| https://github.com/getsentry/sentry-javascript/co… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| getsentry | sentry-javascript |
Affected:
>= 7.78.0, < 7.87.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72"
},
{
"name": "https://github.com/getsentry/sentry-javascript/pull/9815",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry-javascript/pull/9815"
},
{
"name": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sentry-javascript",
"vendor": "getsentry",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.78.0, \u003c 7.87.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry\u0027s Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T13:53:00.512Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72"
},
{
"name": "https://github.com/getsentry/sentry-javascript/pull/9815",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/sentry-javascript/pull/9815"
},
{
"name": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb"
}
],
"source": {
"advisory": "GHSA-x3v3-8xg8-8v72",
"discovery": "UNKNOWN"
},
"title": "Sentry\u0027s Astro SDK vulnerable to ReDoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50249",
"datePublished": "2023-12-20T13:53:00.512Z",
"dateReserved": "2023-12-05T20:42:59.377Z",
"dateUpdated": "2024-08-02T22:09:49.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.