Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-7696

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-14 Apr, 2017 | 18:00
Updated At-05 Aug, 2024 | 16:12
Rejected At-
Credits

SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:14 Apr, 2017 | 18:00
Updated At:05 Aug, 2024 | 16:12
Rejected At:
▼CVE Numbering Authority (CNA)

SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://erpscan.io/advisories/erpscan-17-001-sap-java-dos-bc-iam-sso-otp-package-use-qr-servlet/
x_refsource_MISC
Hyperlink: https://erpscan.io/advisories/erpscan-17-001-sap-java-dos-bc-iam-sso-otp-package-use-qr-servlet/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://erpscan.io/advisories/erpscan-17-001-sap-java-dos-bc-iam-sso-otp-package-use-qr-servlet/
x_refsource_MISC
x_transferred
Hyperlink: https://erpscan.io/advisories/erpscan-17-001-sap-java-dos-bc-iam-sso-otp-package-use-qr-servlet/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:14 Apr, 2017 | 18:59
Updated At:13 May, 2026 | 00:24

SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
Type: Primary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CPE Matches

SAP SE
sap
>>sso_authentication_library>>2.0
cpe:2.3:a:sap:sso_authentication_library:2.0:*:*:*:*:*:*:*
SAP SE
sap
>>sso_authentication_library>>3.0
cpe:2.3:a:sap:sso_authentication_library:3.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-770Primarynvd@nist.gov
CWE ID: CWE-770
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://erpscan.io/advisories/erpscan-17-001-sap-java-dos-bc-iam-sso-otp-package-use-qr-servlet/cve@mitre.org
N/A
https://erpscan.io/advisories/erpscan-17-001-sap-java-dos-bc-iam-sso-otp-package-use-qr-servlet/af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://erpscan.io/advisories/erpscan-17-001-sap-java-dos-bc-iam-sso-otp-package-use-qr-servlet/
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://erpscan.io/advisories/erpscan-17-001-sap-java-dos-bc-iam-sso-otp-package-use-qr-servlet/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

305Records found

CVE-2024-7768
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.73% / 49.67%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in h2oai/h2o-3

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

Action-Not Available
Vendor-h2oh2oai
Product-h2oh2oai/h2o-3
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-9518
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-7.5||HIGH
EPSS-25.45% / 97.69%
||
7 Day CHG+0.63%
Published-13 Aug, 2019 | 20:50
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

Action-Not Available
Vendor-n/aCanonical Ltd.Apple Inc.The Apache Software FoundationFedora ProjectOracle CorporationRed Hat, Inc.McAfee, LLCDebian GNU/LinuxopenSUSENode.js (OpenJS Foundation)Synology, Inc.
Product-ubuntu_linuxvs960hdsoftware_collectionsenterprise_linuxquayskynasswiftniodiskstation_managernode.jsdebian_linuxgraalvmopenshift_service_meshfedoramac_os_xvs960hd_firmwaretraffic_serverjboss_enterprise_application_platformjboss_core_servicesweb_gatewayleapn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-9515
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-7.5||HIGH
EPSS-87.81% / 99.74%
||
7 Day CHG~0.00%
Published-13 Aug, 2019 | 20:50
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Action-Not Available
Vendor-n/aCanonical Ltd.Apple Inc.F5, Inc.The Apache Software FoundationFedora ProjectOracle CorporationRed Hat, Inc.McAfee, LLCDebian GNU/LinuxopenSUSENode.js (OpenJS Foundation)Synology, Inc.
Product-single_sign-onubuntu_linuxvs960hdsoftware_collectionsopenshift_container_platformopenstackenterprise_linuxquayskynasbig-ip_local_traffic_managerswiftniodiskstation_managernode.jsdebian_linuxgraalvmopenshift_service_meshfedoramac_os_xvs960hd_firmwaretraffic_serverjboss_enterprise_application_platformjboss_core_servicesweb_gatewayleapn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-3371
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.98% / 58.01%
||
7 Day CHG~0.00%
Published-30 Sep, 2022 | 13:15
Updated-20 May, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
No limit in length of "Token name" parameter results in DOS attack /memory corruption in ikus060/rdiffweb prior to 2.5.0a3 in ikus060/rdiffweb

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3.

Action-Not Available
Vendor-IKUS Software
Product-rdiffwebikus060/rdiffweb
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-6037
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-10.61% / 95.24%
||
7 Day CHG~0.00%
Published-10 Jul, 2024 | 22:43
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Folder Creation in gaizhenbiao/chuanhuchatgpt

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows an attacker to create arbitrary folders at any location on the server, including the root directory (C: dir). This can lead to uncontrolled resource consumption, resulting in resource exhaustion, denial of service (DoS), server unavailability, and potential data loss or corruption.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptchuanhuchatgpt
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2017-3555
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-7.5||HIGH
EPSS-2.57% / 83.29%
||
7 Day CHG~0.00%
Published-24 Apr, 2017 | 19:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle iReceivables component of Oracle E-Business Suite (subcomponent: Self Registration). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iReceivables. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle iReceivables. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-ireceivablesiReceivables
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-15736
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.04% / 78.74%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 17:02
Updated-05 Aug, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Under certain circumstances, CI pipelines could potentially be used in a denial of service attack.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-30522
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-90.41% / 99.79%
||
7 Day CHG~0.00%
Published-08 Jun, 2022 | 10:00
Updated-03 Aug, 2024 | 06:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mod_sed denial of service

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software FoundationFedora Project
Product-http_serverclustered_data_ontapfedoraApache HTTP Server
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-29701
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.97% / 57.54%
||
7 Day CHG~0.00%
Published-27 Apr, 2022 | 02:47
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A lack of rate limiting in the 'forgot password' feature of Zammad v5.1.0 allows attackers to send an excessive amount of reset requests for a legitimate user, leading to a possible Denial of Service (DoS) via a large amount of generated e-mail messages.

Action-Not Available
Vendor-zammadn/a
Product-zammadn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-29286
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.01% / 58.87%
||
7 Day CHG~0.00%
Published-17 Jul, 2022 | 21:04
Updated-03 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

Action-Not Available
Vendor-pexipn/a
Product-pexip_infinityn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-29404
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-5.68% / 92.05%
||
7 Day CHG~0.00%
Published-08 Jun, 2022 | 10:00
Updated-03 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service in mod_lua r:parsebody

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software FoundationFedora Project
Product-http_serverclustered_data_ontapfedoraApache HTTP Server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-28871
Matching Score-4
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
ShareView Details
Matching Score-4
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 40.56%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 10:14
Updated-03 Aug, 2024 | 06:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial-of-Service (DoS) Vulnerability

A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant whereby the fsicapd component used in certain F-Secure products while scanning larger packages/fuzzed files consume too much memory eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.

Action-Not Available
Vendor-Apple Inc.F-Secure CorporationMicrosoft Corporation
Product-windowsatlantmacosmac_os_xAll F-Secure Endpoint Protection products on Windows and Mac F-Secure Linux Security (32-bit) F-Secure Linux Security 64 F-Secure Atlant F-Secure Internet Gatekeeper F-Secure Cloud Protection for Salesforce
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-15722
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.87% / 76.80%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 16:45
Updated-05 Aug, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.2.1. Particular mathematical expressions in GitLab Markdown can exhaust client resources.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-15225
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.42% / 87.44%
||
7 Day CHG~0.00%
Published-19 Aug, 2019 | 22:57
Updated-05 Aug, 2024 | 00:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.

Action-Not Available
Vendor-envoyproxyn/a
Product-envoyn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-14958
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.93% / 77.54%
||
7 Day CHG~0.00%
Published-02 Oct, 2019 | 18:40
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains PyCharm before 2019.2 was allocating a buffer of unknown size for one of the connection processes. In a very specific situation, it could lead to a remote invocation of an OOM error message because of Uncontrolled Memory Allocation.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-pycharmn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-24685
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.52% / 71.58%
||
7 Day CHG+0.04%
Published-28 Feb, 2022 | 13:26
Updated-03 Aug, 2024 | 04:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.

Action-Not Available
Vendor-n/aHashiCorp, Inc.
Product-nomadn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-23913
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.72% / 84.22%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 22:33
Updated-15 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ActiveMQ Artemis DoS

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.

Action-Not Available
Vendor-The Apache Software FoundationNetApp, Inc.
Product-active_iq_unified_managerartemisoncommand_workflow_automationApache ActiveMQ Artemis
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-23837
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.26% / 91.54%
||
7 Day CHG~0.00%
Published-21 Jan, 2022 | 00:00
Updated-03 Aug, 2024 | 03:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

Action-Not Available
Vendor-contribsysn/aDebian GNU/Linux
Product-sidekiqdebian_linuxn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-15544
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.76% / 88.59%
||
7 Day CHG~0.00%
Published-26 Aug, 2019 | 17:08
Updated-05 Aug, 2024 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.

Action-Not Available
Vendor-rust-protobuf_projectn/aThe Apache Software Foundation
Product-hbaserust-protobufn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-20845
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.11% / 62.03%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:27
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-20818
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.53% / 71.69%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 15:47
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Foxit Reader and PhantomPDF before 9.7. It allows memory consumption because data is created for each page of an application level.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-phantompdfreadern/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-23228
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.30% / 67.02%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 21:50
Updated-03 Aug, 2024 | 03:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pexip Infinity before 27.0 has improper WebRTC input validation. An unauthenticated remote attacker can use excessive resources, temporarily causing denial of service.

Action-Not Available
Vendor-pexipn/a
Product-pexip_infinityn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-29863
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.33% / 67.59%
||
7 Day CHG+0.03%
Published-16 Jun, 2022 | 17:09
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OPC UA .NET Standard Stack 1.04.368 allows remote attacker to cause a crash via a crafted message that triggers excessive memory allocation.

Action-Not Available
Vendor-opcfoundationn/a
Product-ua_.net_standard_stackn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2009-4017
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-12.04% / 95.62%
||
7 Day CHG~0.00%
Published-24 Nov, 2009 | 00:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.

Action-Not Available
Vendor-n/aApple Inc.The PHP GroupDebian GNU/Linux
Product-phpdebian_linuxmac_os_xn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-16865
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.15% / 86.38%
||
7 Day CHG~0.00%
Published-04 Oct, 2019 | 21:09
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

Action-Not Available
Vendor-n/aFedora ProjectPython Software Foundation
Product-pillowfedoran/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-22979
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-1.27% / 66.27%
||
7 Day CHG~0.00%
Published-21 Jun, 2022 | 14:23
Updated-03 Aug, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-spring_cloud_functionSpring Cloud Function
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-11938
Matching Score-4
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-4
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-2.20% / 80.32%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 20:30
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2008-5180
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-67.98% / 99.24%
||
7 Day CHG~0.00%
Published-20 Nov, 2008 | 15:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Microsoft Communicator, and Communicator in Microsoft Office 2010 beta, allows remote attackers to cause a denial of service (memory consumption) via a large number of SIP INVITE requests, which trigger the creation of many sessions.

Action-Not Available
Vendor-n/aMicrosoft Corporation
Product-office_communicatorn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-21716
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-3.61% / 88.08%
||
7 Day CHG~0.00%
Published-03 Mar, 2022 | 00:00
Updated-22 Apr, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Buffer Overflow in Twisted

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.

Action-Not Available
Vendor-twistedtwistedFedora ProjectDebian GNU/LinuxOracle Corporation
Product-http_serverdebian_linuxfedorazfs_storage_appliance_kittwistedtwisted
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-11923
Matching Score-4
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-4
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-1.45% / 70.18%
||
7 Day CHG~0.00%
Published-04 Dec, 2019 | 16:00
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Mcrouter prior to v0.41.0, the deprecated ASCII parser would allocate a buffer to a user-specified length with no maximum length enforced, allowing for resource exhaustion or denial of service.

Action-Not Available
Vendor-Facebook
Product-mcrouterMcrouter
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-11478
Matching Score-4
Assigner-Canonical Ltd.
ShareView Details
Matching Score-4
Assigner-Canonical Ltd.
CVSS Score-5.3||MEDIUM
EPSS-94.69% / 99.85%
||
7 Day CHG~0.00%
Published-18 Jun, 2019 | 23:34
Updated-16 Sep, 2024 | 23:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SACK can cause extensive memory use via fragmented resend queue

Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.

Action-Not Available
Vendor-Ivanti SoftwareCanonical Ltd.Linux Kernel Organization, IncPulse SecureF5, Inc.Red Hat, Inc.
Product-ubuntu_linuxbig-ip_webacceleratorpulse_secure_virtual_application_delivery_controllerbig-ip_application_acceleration_managerenterprise_linux_atomic_hostbig-ip_policy_enforcement_managerbig-ip_fraud_protection_serviceenterprise_linuxenterprise_linux_ausbig-ip_global_traffic_managerbig-ip_local_traffic_managerbig-ip_analyticsbig-ip_domain_name_systemconnect_securebig-ip_application_security_managerbig-ip_edge_gatewaylinux_kernelbig-ip_link_controllerenterprise_linux_euspulse_policy_securebig-ip_access_policy_managertraffix_signaling_delivery_controllerenterprise_mrgbig-ip_advanced_firewall_managerLinux kernel
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-22278
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-7.5||HIGH
EPSS-0.88% / 54.56%
||
7 Day CHG~0.00%
Published-27 Apr, 2022 | 16:25
Updated-03 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in SonicOS CFS (Content filtering service) returns a large 403 forbidden HTTP response message to the source address when users try to access prohibited resource this allows an attacker to cause HTTP Denial of Service (DoS) attack

Action-Not Available
Vendor-SonicWall Inc.
Product-nsv_200_firmwaretz670tz500wnssp_15700nsa_3700nsa_2700tz400tz500_firmwaretz470w_firmwaretz300p_firmwarensv_25_firmwarensv_100nssp_13700nssp_10700_firmwarensa_9450_firmwarensa_2650tz350w_firmwarenssp_12400tz400w_firmwarensv_270nsv_50_firmwarensa_9650_firmwarensv_50nsv_470nsv_400tz600p_firmwaretz670_firmwarensv_1600nsa_3700_firmwaretz600tz300w_firmwarensa_2700_firmwaretz300pnsa_2650_firmwaretz350tz570p_firmwarensv_300_firmwarenssp_15700_firmwarensa_6650_firmwarenssp_13700_firmwarenssp_12400_firmwarenssp_11700_firmwaretz370nssp_12800_firmwaretz470wnsv_10tz370wnsa_5650nsa_4700_firmwarensv_870tz470_firmwarensa_6700_firmwaretz600_firmwarenssp_10700nsv_10_firmwarensa_9650tz350_firmwarensa_4650_firmwarensv_100_firmwarensa_6700nsa_3650_firmwarensa_9250tz350wnsa_9450nsv_25tz300wtz570_firmwarensa_6650nssp_12800nsa_4650nssp_11700tz400wtz570nsv_400_firmwaretz470tz600pnsv_870_firmwaretz500w_firmwarensv_800_firmwarensa_3650nsa_5700nsv_200nsa_4700nsa_5700_firmwaretz370w_firmwaretz570wtz370_firmwaretz570pnsv_800nsv_470_firmwarensv_300nsa_9250_firmwarensv_1600_firmwaretz570w_firmwarensa_5650_firmwaretz500tz400_firmwarensv_270_firmwareSonicOS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-21952
Matching Score-4
Assigner-SUSE
ShareView Details
Matching Score-4
Assigner-SUSE
CVSS Score-7.5||HIGH
EPSS-1.45% / 70.12%
||
7 Day CHG~0.00%
Published-22 Jun, 2022 | 10:05
Updated-16 Sep, 2024 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SUMA unauthenticated remote DoS via resource exhaustion

A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37.

Action-Not Available
Vendor-SUSE
Product-manager_serverSUSE Manager Server 4.1SUSE Manager Server 4.2
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-11924
Matching Score-4
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-4
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-2.40% / 81.99%
||
7 Day CHG~0.00%
Published-20 Aug, 2019 | 19:32
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A peer could send empty handshake fragments containing only padding which would be kept in memory until a full handshake was received, resulting in memory exhaustion. This issue affects versions v2019.01.28.00 and above of fizz, until v2019.08.05.00.

Action-Not Available
Vendor-Facebook
Product-fizzfizz
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-11479
Matching Score-4
Assigner-Canonical Ltd.
ShareView Details
Matching Score-4
Assigner-Canonical Ltd.
CVSS Score-5.3||MEDIUM
EPSS-91.66% / 99.80%
||
7 Day CHG~0.00%
Published-18 Jun, 2019 | 23:34
Updated-16 Sep, 2024 | 23:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

Action-Not Available
Vendor-Canonical Ltd.Red Hat, Inc.Linux Kernel Organization, IncF5, Inc.
Product-ubuntu_linuxbig-ip_webacceleratorbig-ip_application_acceleration_managerbig-ip_policy_enforcement_managerbig-ip_fraud_protection_serviceenterprise_linuxvirtualization_hostbig-ip_global_traffic_managerbig-ip_local_traffic_managerbig-ip_analyticsbig-ip_domain_name_systemiworkflowbig-ip_application_security_managerbig-ip_edge_gatewaylinux_kernelbig-ip_link_controllerbig-iq_centralized_managemententerprise_managerbig-ip_access_policy_managertraffix_signaling_delivery_controllerbig-ip_advanced_firewall_managerLinux kernel
CWE ID-CWE-405
Asymmetric Resource Consumption (Amplification)
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-11939
Matching Score-4
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-4
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-1.52% / 71.49%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 00:40
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-22153
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-0.93% / 56.25%
||
7 Day CHG~0.00%
Published-19 Jan, 2022 | 00:20
Updated-17 Sep, 2024 | 01:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SRX Series and MX Series with SPC3: A high percentage of fragments might lead to high latency or packet drops

An Insufficient Algorithmic Complexity combined with an Allocation of Resources Without Limits or Throttling vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX Series and MX Series with SPC3 allows an unauthenticated network attacker to cause latency in transit packet processing and even packet loss. If transit traffic includes a significant percentage (> 5%) of fragmented packets which need to be reassembled, high latency or packet drops might be observed. This issue affects Juniper Networks Junos OS on SRX Series, MX Series with SPC3: All versions prior to 18.2R3; 18.3 versions prior to 18.3R3; 18.4 versions prior to 18.4R2-S9, 18.4R3; 19.1 versions prior to 19.1R2; 19.2 versions prior to 19.2R1-S1, 19.2R2.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-srx345mx2008mx960mx240srx5800srx110srx4000srx550_hmsrx220srx240h2mx2010mx5srx5400srx100srx3400srx300srx550mx104junosmx80srx210srx1500srx380srx4200srx340mx10008mx150srx4100mx10srx240mx2020srx3600mx10003srx5000mx10016srx1400mx10000mx204mx480srx320srx5600mx40srx650srx4600srx550mJunos OS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2022-21698
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-5.99% / 92.43%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 00:00
Updated-23 Apr, 2025 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in promhttp

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Action-Not Available
Vendor-rdo_projectprometheusprometheusFedora Project
Product-extra_packages_for_enterprise_linuxclient_golangfedorardoclient_golang
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2017-13763
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.06% / 60.41%
||
7 Day CHG~0.00%
Published-30 Aug, 2017 | 00:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited.

Action-Not Available
Vendor-onosprojectn/a
Product-onosn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-10171
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.36% / 68.29%
||
7 Day CHG~0.00%
Published-02 Aug, 2019 | 13:49
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that the fix for CVE-2018-14648 in 389-ds-base, versions 1.4.0.x before 1.4.0.17, was incorrectly applied in RHEL 7.5. An attacker would still be able to provoke excessive CPU consumption leading to a denial of service.

Action-Not Available
Vendor-Red Hat, Inc.Fedora Project
Product-389_directory_serverenterprise_linux_server_eus389-ds-base
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-21294
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.3||MEDIUM
EPSS-3.35% / 87.21%
||
7 Day CHG~0.00%
Published-19 Jan, 2022 | 11:23
Updated-27 May, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Action-Not Available
Vendor-Oracle CorporationNetApp, Inc.Debian GNU/Linux
Product-cloud_secure_agentsantricity_unified_managerhci_management_nodeoncommand_workflow_automationsolidfirejdk7-mode_transition_toolgraalvmdebian_linuxopenjdksnapmanagere-series_santricity_web_servicese-series_santricity_storage_managerjreoncommand_insightsantricity_storage_plugine-series_santricity_os_controlleractive_iq_unified_managercloud_insights_acquisition_unitJava SE JDK and JRE
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-10953
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-3.67% / 88.30%
||
7 Day CHG~0.00%
Published-17 Apr, 2019 | 14:02
Updated-04 Jun, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO - Programmable Logic Controllers, multiple versions. Researchers have found some controllers are susceptible to a denial-of-service attack due to a flood of network packets.

Action-Not Available
Vendor-wagoWAGOSiemens AGSchneider Electric SEABBPhoenix Contact GmbH & Co. KG
Product-pfc100modicon_m2216es7211-1ae40-0xb0bacnet\/ip6ed1052-1cc01-0ba8_firmware6es7211-1ae40-0xb0_firmwarepm554-tp-eth_firmwareethernet6es7314-6eh04-0ab0_firmware6es7314-6eh04-0ab0knx_ipmodicon_m221_firmwareilc_151_ethknx_ip_firmwarebacnet\/ip_firmware6ed1052-1cc01-0ba8pfc100_firmwareethernet_firmwareilc_151_eth_firmwarepm554-tp-eth6ES7211-1AE40-0XB0 Simatic S7-1211750-8100 Controller PFC100ILC 191 ETH 2TX750-889 Controller KNX IP2700974 ILC 151 ETH750-880 Controller ETH6ED1052-1CC01-0BA8 Logo! 8750-831 Controller BACnet/IPModicon M221EcoStruxure Machine Expert – Basic6ES7314-6EH04-0AB0 Simatic S7-3141SAP120600R0071 PM554-TP-ETH
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2017-1227
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-1.42% / 69.52%
||
7 Day CHG~0.00%
Published-31 Jul, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Tivoli Endpoint Manager could allow a unauthorized user to consume all resources and crash the system. IBM X-Force ID: 123906.

Action-Not Available
Vendor-IBM Corporation
Product-bigfix_platformBigFix Platform
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-10079
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-4.56% / 90.45%
||
7 Day CHG~0.00%
Published-22 Oct, 2019 | 15:42
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-traffic_serverApache Traffic Server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-0010
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-2.74% / 84.35%
||
7 Day CHG~0.00%
Published-15 Jan, 2019 | 21:00
Updated-16 Sep, 2024 | 22:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: SRX Series: Crafted HTTP traffic may cause UTM to consume all mbufs, leading to Denial of Service

An SRX Series Service Gateway configured for Unified Threat Management (UTM) may experience a system crash with the error message "mbuf exceed" -- an indication of memory buffer exhaustion -- due to the receipt of crafted HTTP traffic. Each crafted HTTP packet inspected by UTM consumes mbufs which can be identified through the following log messages: all_logs.0:Jun 8 03:25:03 srx1 node0.fpc4 : SPU3 jmpi mbuf stall 50%. all_logs.0:Jun 8 03:25:13 srx1 node0.fpc4 : SPU3 jmpi mbuf stall 51%. all_logs.0:Jun 8 03:25:24 srx1 node0.fpc4 : SPU3 jmpi mbuf stall 52%. ... Eventually the system runs out of mbufs and the system crashes (fails over) with the error "mbuf exceed". This issue only occurs when HTTP AV inspection is configured. Devices configured for Web Filtering alone are unaffected by this issue. Affected releases are Junos OS on SRX Series: 12.1X46 versions prior to 12.1X46-D81; 12.3X48 versions prior to 12.3X48-D77; 15.1X49 versions prior to 15.1X49-D101, 15.1X49-D110.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-srx5400srx1400srx5800srx110srx100srx3400srx550srx5600junossrx650srx220srx240srx3600srx210Junos OS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-0031
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.4||HIGH
EPSS-1.71% / 74.49%
||
7 Day CHG~0.00%
Published-10 Apr, 2019 | 20:13
Updated-16 Sep, 2024 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: jdhcpd daemon memory consumption Denial of Service when receiving specific IPv6 DHCP packets.

Specific IPv6 DHCP packets received by the jdhcpd daemon will cause a memory resource consumption issue to occur on a Junos OS device using the jdhcpd daemon configured to respond to IPv6 requests. Once started, memory consumption will eventually impact any IPv4 or IPv6 request serviced by the jdhcpd daemon, thus creating a Denial of Service (DoS) condition to clients requesting and not receiving IP addresses. Additionally, some clients which were previously holding IPv6 addresses will not have their IPv6 Identity Association (IA) address and network tables agreed upon by the jdhcpd daemon after the failover event occurs, which leads to more than one interface, and multiple IP addresses, being denied on the client. Affected releases are Juniper Networks Junos OS: 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junosJunos OS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-5316
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.44% / 35.23%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 00:00
Updated-30 Apr, 2026 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nothings stb stb_vorbis.c setup_free allocation of resources

A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-nothingsNothings
Product-stb_vorbis.cstb
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-7582
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-37.64% / 98.35%
||
7 Day CHG~0.00%
Published-09 Mar, 2018 | 20:00
Updated-05 Aug, 2024 | 06:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991.

Action-Not Available
Vendor-weblogexpertn/a
Product-weblog_expertn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-12537
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.88% / 54.65%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:09
Updated-04 Apr, 2025 | 09:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Denial of Service in open-webui/open-webui

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui/open-webui
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-12778
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.73% / 49.66%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in aimhubio/aim

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number of metrics that can be requested per call, combined with the server's single-threaded nature, leading to excessive resource consumption and blocking of the server.

Action-Not Available
Vendor-aimstackaimhubio
Product-aimaimhubio/aim
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • Next
Details not found