CWE-400
Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
CVE-2020-8237 (GCVE-0-2020-8237)
Vulnerability from cvelistv5 – Published: 2020-09-18 20:12 – Updated: 2024-08-04 09:56
VLAI
Summary
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/916430 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | json-bigint |
Affected:
Fixed in version 1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.752Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/916430"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "json-bigint",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in version 1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prototype pollution in json-bigint npm package \u003c 1.0.0 may lead to a denial-of-service (DoS) attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T20:12:51.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/916430"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8237",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "json-bigint",
"version": {
"version_data": [
{
"version_value": "Fixed in version 1.0.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prototype pollution in json-bigint npm package \u003c 1.0.0 may lead to a denial-of-service (DoS) attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/916430",
"refsource": "MISC",
"url": "https://hackerone.com/reports/916430"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8237",
"datePublished": "2020-09-18T20:12:51.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8246 (GCVE-0-2020-8246)
Vulnerability from cvelistv5 – Published: 2020-09-18 20:12 – Updated: 2024-08-04 09:56
VLAI
Summary
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b are vulnerable to a denial of service attack originating from the management network.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://support.citrix.com/article/CTX281474 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP |
Affected:
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.947Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.citrix.com/article/CTX281474"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b are vulnerable to a denial of service attack originating from the management network."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T20:12:26.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.citrix.com/article/CTX281474"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8246",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP",
"version": {
"version_data": [
{
"version_value": "Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b are vulnerable to a denial of service attack originating from the management network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.citrix.com/article/CTX281474",
"refsource": "MISC",
"url": "https://support.citrix.com/article/CTX281474"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8246",
"datePublished": "2020-09-18T20:12:26.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8251 (GCVE-0-2020-8251)
Vulnerability from cvelistv5 – Published: 2020-09-18 20:11 – Updated: 2025-04-30 22:24
VLAI
Summary
Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/868834 | x_refsource_MISC |
| https://nodejs.org/en/blog/vulnerability/septembe… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2020100… | x_refsource_CONFIRM |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.gentoo.org/glsa/202101-07 | vendor-advisoryx_refsource_GENTOO |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NodeJS | Node |
Affected:
4.0 , < 4.*
(semver)
Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.11.0 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/868834"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20201009-0004/"
},
{
"name": "FEDORA-2020-43d5a372fc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Node",
"vendor": "NodeJS",
"versions": [
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.11.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Node.js \u003c 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T22:24:26.013Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/868834"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20201009-0004/"
},
{
"name": "FEDORA-2020-43d5a372fc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202101-07"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/nodejs/node",
"version": {
"version_data": [
{
"version_value": "Fixed in v14.11.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js \u003c 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/868834",
"refsource": "MISC",
"url": "https://hackerone.com/reports/868834"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/",
"refsource": "MISC",
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20201009-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20201009-0004/"
},
{
"name": "FEDORA-2020-43d5a372fc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"name": "GLSA-202101-07",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202101-07"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8251",
"datePublished": "2020-09-18T20:11:43.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2025-04-30T22:24:26.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8277 (GCVE-0-2020-8277)
Vulnerability from cvelistv5 – Published: 2020-11-19 00:32 – Updated: 2025-04-30 22:24
VLAI
Summary
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
13 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/1033107 | x_refsource_MISC |
| https://nodejs.org/en/blog/vulnerability/november… | x_refsource_CONFIRM |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.gentoo.org/glsa/202012-11 | vendor-advisoryx_refsource_GENTOO |
| https://security.gentoo.org/glsa/202101-07 | vendor-advisoryx_refsource_GENTOO |
| https://www.oracle.com/security-alerts/cpujan2021.html | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://www.oracle.com/security-alerts/cpuApr2021.html | x_refsource_MISC |
| https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NodeJS | Node |
Affected:
4.0 , < 4.*
(semver)
Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.19.1 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.15.1 (semver) Affected: 15.0 , < 15.2.1 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1033107"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/"
},
{
"name": "FEDORA-2020-7473744de1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/"
},
{
"name": "FEDORA-2020-307e873389",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/"
},
{
"name": "GLSA-202012-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202012-11"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "FEDORA-2021-afed2b904e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/"
},
{
"name": "FEDORA-2021-ee913722db",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Node",
"vendor": "NodeJS",
"versions": [
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.19.1",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.15.1",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.2.1",
"status": "affected",
"version": "15.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions \u003c 15.2.1, \u003c 14.15.1, and \u003c 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T22:24:27.745Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1033107"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/"
},
{
"name": "FEDORA-2020-7473744de1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/"
},
{
"name": "FEDORA-2020-307e873389",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/"
},
{
"name": "GLSA-202012-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202012-11"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "FEDORA-2021-afed2b904e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/"
},
{
"name": "FEDORA-2021-ee913722db",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8277",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/nodejs/node",
"version": {
"version_data": [
{
"version_value": "Fixed in 15.2.1, 14.15.1, 12.19.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions \u003c 15.2.1, \u003c 14.15.1, and \u003c 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1033107",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1033107"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/"
},
{
"name": "FEDORA-2020-7473744de1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/"
},
{
"name": "FEDORA-2020-307e873389",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/"
},
{
"name": "GLSA-202012-11",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202012-11"
},
{
"name": "GLSA-202101-07",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "FEDORA-2021-afed2b904e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/"
},
{
"name": "FEDORA-2021-ee913722db",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8277",
"datePublished": "2020-11-19T00:32:13.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2025-04-30T22:24:27.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8293 (GCVE-0-2020-8293)
Vulnerability from cvelistv5 – Published: 2021-01-26 16:33 – Updated: 2024-08-04 09:56
VLAI
Summary
A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/1018146 | x_refsource_MISC |
| https://nextcloud.com/security/advisory/?id=NC-SA… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Nextcloud Server |
Affected:
Fixed in 20.0.2, 19.0.5, 18.0.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1018146"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 20.0.2, 19.0.5, 18.0.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-26T16:33:25.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1018146"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8293",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server",
"version": {
"version_data": [
{
"version_value": "Fixed in 20.0.2, 19.0.5, 18.0.11"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1018146",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1018146"
},
{
"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-001",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8293",
"datePublished": "2021-01-26T16:33:25.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8295 (GCVE-0-2020-8295)
Vulnerability from cvelistv5 – Published: 2021-01-26 17:10 – Updated: 2024-08-04 09:56
VLAI
Summary
A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/812754 | x_refsource_MISC |
| https://nextcloud.com/security/advisory/?id=NC-SA… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Nextcloud Server |
Affected:
Fixed in 20.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/812754"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-003"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 20.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-26T17:10:36.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/812754"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-003"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8295",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server",
"version": {
"version_data": [
{
"version_value": "Fixed in 20.0.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/812754",
"refsource": "MISC",
"url": "https://hackerone.com/reports/812754"
},
{
"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-003",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-003"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8295",
"datePublished": "2021-01-26T17:10:36.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8299 (GCVE-0-2020-8299)
Vulnerability from cvelistv5 – Published: 2021-06-16 13:08 – Updated: 2024-08-04 09:56
VLAI
Summary
Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-of-service from within the same Layer 2 network segment. Note that the attacker must be in the same Layer 2 network segment as the vulnerable appliance.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://support.citrix.com/article/CTX297155 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition |
Affected:
Fixed in Citrix ADC and Citrix Gateway 13.0-76.29 and later releases of 13.0, Citrix ADC and Citrix Gateway 12.1-61.18 and later releases of 12.1, Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1, Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS, Citrix SD-WAN WANOP 11.4.0 and later releases of 11.4, Citrix SD-WAN WANOP 11.3.2 and later releases of 11.3, Citrix SD-WAN WANOP 11.3.1a and later releases of 11.3, Citrix SD-WAN WANOP 11.2.3a and later releases of 11.2, Citrix SD-WAN WANOP 11.1.2c and later releases of 11.1, Citrix SD-WAN WANOP 10.2.9a and later releases of 10.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.citrix.com/article/CTX297155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in Citrix ADC and Citrix Gateway 13.0-76.29 and later releases of 13.0, Citrix ADC and Citrix Gateway 12.1-61.18 and later releases of 12.1, Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1, Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS, Citrix SD-WAN WANOP 11.4.0 and later releases of 11.4, Citrix SD-WAN WANOP 11.3.2 and later releases of 11.3, Citrix SD-WAN WANOP 11.3.1a and later releases of 11.3, Citrix SD-WAN WANOP 11.2.3a and later releases of 11.2, Citrix SD-WAN WANOP 11.1.2c and later releases of 11.1, Citrix SD-WAN WANOP 10.2.9a and later releases of 10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-of-service from within the same Layer 2 network segment. Note that the attacker must be in the same Layer 2 network segment as the vulnerable appliance."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-16T13:08:22.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.citrix.com/article/CTX297155"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8299",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition",
"version": {
"version_data": [
{
"version_value": "Fixed in Citrix ADC and Citrix Gateway 13.0-76.29 and later releases of 13.0, Citrix ADC and Citrix Gateway 12.1-61.18 and later releases of 12.1, Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1, Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS, Citrix SD-WAN WANOP 11.4.0 and later releases of 11.4, Citrix SD-WAN WANOP 11.3.2 and later releases of 11.3, Citrix SD-WAN WANOP 11.3.1a and later releases of 11.3, Citrix SD-WAN WANOP 11.2.3a and later releases of 11.2, Citrix SD-WAN WANOP 11.1.2c and later releases of 11.1, Citrix SD-WAN WANOP 10.2.9a and later releases of 10.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-of-service from within the same Layer 2 network segment. Note that the attacker must be in the same Layer 2 network segment as the vulnerable appliance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.citrix.com/article/CTX297155",
"refsource": "MISC",
"url": "https://support.citrix.com/article/CTX297155"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8299",
"datePublished": "2021-06-16T13:08:22.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8557 (GCVE-0-2020-8557)
Vulnerability from cvelistv5 – Published: 2020-07-23 16:59 – Updated: 2024-09-17 03:14
VLAI
Title
Kubernetes node disk Denial of Service by writing to container /etc/hosts
Summary
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
Severity
5.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/kubernetes/kubernetes/issues/93032 | x_refsource_CONFIRM |
| https://groups.google.com/g/kubernetes-security-a… | mailing-listx_refsource_MLIST |
| https://security.netapp.com/advisory/ntap-2020082… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kubernetes | Kubernetes |
Affected:
1.15
Affected: 1.14 Affected: 1.13 Affected: 1.12 Affected: 1.11 Affected: 1.10 Affected: 1.9 Affected: 1.8 Affected: 1.7 Affected: 1.6 Affected: 1.5 Affected: 1.4 Affected: 1.3 Affected: 1.2 Affected: 1.1 Affected: 1.18 , < 1.18.6 (custom) Affected: 1.17 , < 1.17.9 (custom) Affected: 1.16 , < 1.16.13 (custom) |
Date Public
2020-07-15 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.168Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kubernetes/kubernetes/issues/93032"
},
{
"name": "[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200821-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "1.15"
},
{
"status": "affected",
"version": "1.14"
},
{
"status": "affected",
"version": "1.13"
},
{
"status": "affected",
"version": "1.12"
},
{
"status": "affected",
"version": "1.11"
},
{
"status": "affected",
"version": "1.10"
},
{
"status": "affected",
"version": "1.9"
},
{
"status": "affected",
"version": "1.8"
},
{
"status": "affected",
"version": "1.7"
},
{
"status": "affected",
"version": "1.6"
},
{
"status": "affected",
"version": "1.5"
},
{
"status": "affected",
"version": "1.4"
},
{
"status": "affected",
"version": "1.3"
},
{
"status": "affected",
"version": "1.2"
},
{
"status": "affected",
"version": "1.1"
},
{
"lessThan": "1.18.6",
"status": "affected",
"version": "1.18",
"versionType": "custom"
},
{
"lessThan": "1.17.9",
"status": "affected",
"version": "1.17",
"versionType": "custom"
},
{
"lessThan": "1.16.13",
"status": "affected",
"version": "1.16",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kebe Liu of DaoCloud"
}
],
"datePublic": "2020-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-21T09:06:14.000Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kubernetes/kubernetes/issues/93032"
},
{
"name": "[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200821-0002/"
}
],
"source": {
"discovery": "USER"
},
"title": "Kubernetes node disk Denial of Service by writing to container /etc/hosts",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2020-07-15T00:00:00.000Z",
"ID": "CVE-2020-8557",
"STATE": "PUBLIC",
"TITLE": "Kubernetes node disk Denial of Service by writing to container /etc/hosts"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.18",
"version_value": "1.18.6"
},
{
"version_affected": "\u003c",
"version_name": "1.17",
"version_value": "1.17.9"
},
{
"version_affected": "\u003c",
"version_name": "1.16",
"version_value": "1.16.13"
},
{
"version_value": "1.15"
},
{
"version_value": "1.14"
},
{
"version_value": "1.13"
},
{
"version_value": "1.12"
},
{
"version_value": "1.11"
},
{
"version_value": "1.10"
},
{
"version_value": "1.9"
},
{
"version_value": "1.8"
},
{
"version_value": "1.7"
},
{
"version_value": "1.6"
},
{
"version_value": "1.5"
},
{
"version_value": "1.4"
},
{
"version_value": "1.3"
},
{
"version_value": "1.2"
},
{
"version_value": "1.1"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kebe Liu of DaoCloud"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/kubernetes/kubernetes/issues/93032",
"refsource": "CONFIRM",
"url": "https://github.com/kubernetes/kubernetes/issues/93032"
},
{
"name": "[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts",
"refsource": "MLIST",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200821-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200821-0002/"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8557",
"datePublished": "2020-07-23T16:59:38.580Z",
"dateReserved": "2020-02-03T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:14:05.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9059 (GCVE-0-2020-9059)
Vulnerability from cvelistv5 – Published: 2022-01-07 04:30 – Updated: 2024-09-16 19:25
VLAI
Summary
Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption leading to battery exhaustion. As an example, the Schlage BE468 version 3.42 door lock is vulnerable and fails open at a low battery level.
Severity
No CVSS data available.
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/142629 | third-party-advisoryx_refsource_CERT-VN |
| https://ieeexplore.ieee.org/document/9663293 | x_refsource_MISC |
| https://github.com/CNK2100/VFuzz-public | x_refsource_MISC |
| https://doi.org/10.1109/ACCESS.2021.3138768 | x_refsource_MISC |
| https://www.kb.cert.org/vuls/id/142629 | third-party-advisoryx_refsource_CERT-VN |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schlage | BE468 |
Affected:
3.42
|
|
| Silicon Labs | 500 series |
Affected:
all
|
Date Public
2021-12-27 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:19:19.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/142629"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ieeexplore.ieee.org/document/9663293"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CNK2100/VFuzz-public"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doi.org/10.1109/ACCESS.2021.3138768"
},
{
"name": "VU#142629",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/142629"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BE468",
"vendor": "Schlage",
"versions": [
{
"status": "affected",
"version": "3.42"
}
]
},
{
"product": "500 series",
"vendor": "Silicon Labs",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"
}
],
"datePublic": "2021-12-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption leading to battery exhaustion. As an example, the Schlage BE468 version 3.42 door lock is vulnerable and fails open at a low battery level."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-07T23:06:13.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://kb.cert.org/vuls/id/142629"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ieeexplore.ieee.org/document/9663293"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CNK2100/VFuzz-public"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doi.org/10.1109/ACCESS.2021.3138768"
},
{
"name": "VU#142629",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/142629"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-12-27T05:00:00.000Z",
"ID": "CVE-2020-9059",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BE468",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "3.42"
}
]
}
}
]
},
"vendor_name": "Schlage"
},
{
"product": {
"product_data": [
{
"product_name": "500 series",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "all"
}
]
}
}
]
},
"vendor_name": "Silicon Labs"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption leading to battery exhaustion. As an example, the Schlage BE468 version 3.42 door lock is vulnerable and fails open at a low battery level."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.cert.org/vuls/id/142629",
"refsource": "CERT-VN",
"url": "https://kb.cert.org/vuls/id/142629"
},
{
"name": "https://ieeexplore.ieee.org/document/9663293",
"refsource": "MISC",
"url": "https://ieeexplore.ieee.org/document/9663293"
},
{
"name": "https://github.com/CNK2100/VFuzz-public",
"refsource": "MISC",
"url": "https://github.com/CNK2100/VFuzz-public"
},
{
"name": "https://doi.org/10.1109/ACCESS.2021.3138768",
"refsource": "MISC",
"url": "https://doi.org/10.1109/ACCESS.2021.3138768"
},
{
"name": "VU#142629",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/142629"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2020-9059",
"datePublished": "2022-01-07T04:30:26.522Z",
"dateReserved": "2020-02-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:25:18.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9060 (GCVE-0-2020-9060)
Vulnerability from cvelistv5 – Published: 2022-01-07 04:30 – Updated: 2024-09-16 16:33
VLAI
Summary
Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.
Severity
No CVSS data available.
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/142629 | third-party-advisoryx_refsource_CERT-VN |
| https://ieeexplore.ieee.org/document/9663293 | x_refsource_MISC |
| https://github.com/CNK2100/VFuzz-public | x_refsource_MISC |
| https://doi.org/10.1109/ACCESS.2021.3138768 | x_refsource_MISC |
| https://www.kb.cert.org/vuls/id/142629 | third-party-advisoryx_refsource_CERT-VN |
Impacted products
Date Public
2021-12-27 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:19:19.795Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/142629"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ieeexplore.ieee.org/document/9663293"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CNK2100/VFuzz-public"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doi.org/10.1109/ACCESS.2021.3138768"
},
{
"name": "VU#142629",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/142629"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ZEN25",
"vendor": "ZooZ",
"versions": [
{
"status": "affected",
"version": "5.03"
}
]
},
{
"product": "ZEN20",
"vendor": "ZooZ",
"versions": [
{
"status": "affected",
"version": "5.03"
}
]
},
{
"product": "ZST10",
"vendor": "ZooZ",
"versions": [
{
"status": "affected",
"version": "6.04"
}
]
},
{
"product": "FGWPB-111",
"vendor": "Fibaro",
"versions": [
{
"status": "affected",
"version": "4.3"
}
]
},
{
"product": "500 series",
"vendor": "Silicon Labs",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"product": "ZW090-A",
"vendor": "Aeon Labs",
"versions": [
{
"status": "affected",
"version": "3.95"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"
}
],
"datePublic": "2021-12-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-07T23:06:11.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://kb.cert.org/vuls/id/142629"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ieeexplore.ieee.org/document/9663293"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CNK2100/VFuzz-public"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doi.org/10.1109/ACCESS.2021.3138768"
},
{
"name": "VU#142629",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/142629"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-12-27T05:00:00.000Z",
"ID": "CVE-2020-9060",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ZEN25",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "5.03"
}
]
}
},
{
"product_name": "ZEN20",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "5.03"
}
]
}
},
{
"product_name": "ZST10",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "6.04"
}
]
}
}
]
},
"vendor_name": "ZooZ"
},
{
"product": {
"product_data": [
{
"product_name": "FGWPB-111",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "4.3"
}
]
}
}
]
},
"vendor_name": "Fibaro"
},
{
"product": {
"product_data": [
{
"product_name": "500 series",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "all"
}
]
}
}
]
},
"vendor_name": "Silicon Labs"
},
{
"product": {
"product_data": [
{
"product_name": "ZW090-A",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "3.95"
}
]
}
}
]
},
"vendor_name": "Aeon Labs"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-346 Origin Validation Error"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.cert.org/vuls/id/142629",
"refsource": "CERT-VN",
"url": "https://kb.cert.org/vuls/id/142629"
},
{
"name": "https://ieeexplore.ieee.org/document/9663293",
"refsource": "MISC",
"url": "https://ieeexplore.ieee.org/document/9663293"
},
{
"name": "https://github.com/CNK2100/VFuzz-public",
"refsource": "MISC",
"url": "https://github.com/CNK2100/VFuzz-public"
},
{
"name": "https://doi.org/10.1109/ACCESS.2021.3138768",
"refsource": "MISC",
"url": "https://doi.org/10.1109/ACCESS.2021.3138768"
},
{
"name": "VU#142629",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/142629"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2020-9060",
"datePublished": "2022-01-07T04:30:28.026Z",
"dateReserved": "2020-02-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:33:05.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
Phase: Architecture and Design
Description:
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that protocols have specific limits of scale placed on them.
Mitigation
Phase: Implementation
Description:
- Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.