Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-25618

Summary
Assigner-sap
Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At-14 Mar, 2023 | 04:51
Updated At-27 Feb, 2025 | 15:11
Rejected At-
Credits

Denial of Service (DoS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:sap
Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At:14 Mar, 2023 | 04:51
Updated At:27 Feb, 2025 | 15:11
Rejected At:
â–¼CVE Numbering Authority (CNA)
Denial of Service (DoS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.

Affected Products
Vendor
SAP SESAP
Product
NetWeaver AS for ABAP and ABAP Platform
Default Status
unaffected
Versions
Affected
  • 700
  • 701
  • 702
  • 731
  • 740
  • 750
  • 751
  • 752
  • 753
  • 754
  • 755
  • 756
  • 757
  • 791
Problem Types
TypeCWE IDDescription
CWECWE-400CWE-400: Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-400
Description: CWE-400: Uncontrolled Resource Consumption
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://launchpad.support.sap.com/#/notes/3296346
N/A
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
N/A
Hyperlink: https://launchpad.support.sap.com/#/notes/3296346
Resource: N/A
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Resource: N/A
â–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://launchpad.support.sap.com/#/notes/3296346
x_transferred
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
x_transferred
Hyperlink: https://launchpad.support.sap.com/#/notes/3296346
Resource:
x_transferred
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@sap.com
Published At:14 Mar, 2023 | 05:15
Updated At:11 Apr, 2023 | 22:15

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CPE Matches

SAP SE
sap
>>netweaver_application_server_abap>>700
cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>701
cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>702
cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>731
cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>740
cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>750
cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>751
cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>752
cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>753
cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>754
cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>755
cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>756
cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>757
cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>791
cpe:2.3:a:sap:netweaver_application_server_abap:791:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-400Primarycna@sap.com
NVD-CWE-noinfoSecondarynvd@nist.gov
CWE ID: CWE-400
Type: Primary
Source: cna@sap.com
CWE ID: NVD-CWE-noinfo
Type: Secondary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://launchpad.support.sap.com/#/notes/3296346cna@sap.com
Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlcna@sap.com
Vendor Advisory
Hyperlink: https://launchpad.support.sap.com/#/notes/3296346
Source: cna@sap.com
Resource:
Permissions Required
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Source: cna@sap.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

312Records found

CVE-2023-29185
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.3||MEDIUM
EPSS-0.57% / 43.51%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 03:08
Updated-07 Feb, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages)

SAP NetWeaver AS for ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters in certain circumstances which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesNetWeaver AS for ABAP (Business Server Pages)
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-28763
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.61% / 45.38%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 02:52
Updated-07 Feb, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform

SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapNetWeaver AS for ABAP and ABAP Platform
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-27270
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.61% / 45.38%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 04:58
Updated-27 Feb, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapNetWeaver Application Server for ABAP and ABAP Platform
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-33001
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 33.41%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 02:05
Updated-09 Aug, 2024 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service (DOS) in SAP NetWeaver and ABAP platform

SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver and ABAP platformsap_netweaver_and_abap_platform
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-27896
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 40.95%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 05:02
Updated-27 Feb, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server Side Request Forgery (SSRF) in the SAP BusinessObjects Business Intelligence platform

In SAP BusinessObjects Business Intelligence Platform - version 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own CMS, leading to a high impact on availability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceBusinessObjects Business Intelligence Platform (Web Services)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-27271
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.57% / 43.40%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 05:01
Updated-27 Feb, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server Side Request Forgery (SSRF) in the SAP BusinessObjects Business Intelligence platform

In SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own admintools, leading to a high impact on availability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformBusinessObjects Business Intelligence Platform (Web Services)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-24524
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 40.95%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:17
Updated-20 Mar, 2025 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.

Action-Not Available
Vendor-SAP SE
Product-s\/4hanaS/4 HANA (Map Treasury Correspondence Format Data)
CWE ID-CWE-862
Missing Authorization
CVE-2016-10304
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.58% / 72.82%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.

Action-Not Available
Vendor-n/aSAP SE
Product-netweaver_application_server_javan/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-27603
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.86% / 54.50%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 18:40
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver AS for ABAP
CVE-2021-21488
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-1.29% / 67.12%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 14:07
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_knowledge_managementSAP NetWeaver Knowledge Management
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-41259
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.72% / 49.64%
||
7 Day CHG~0.00%
Published-08 Nov, 2022 | 00:00
Updated-02 May, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use an ARRAY constructor.

Action-Not Available
Vendor-SAP SE
Product-sql_anywhereSAP SQL Anywhere
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-27670
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.91% / 56.14%
||
7 Day CHG~0.00%
Published-12 Apr, 2022 | 16:11
Updated-03 Aug, 2024 | 05:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use indirect identifiers.

Action-Not Available
Vendor-SAP SE
Product-sql_anywhereSAP SQL Anywhere Server
CWE ID-CWE-99
Improper Control of Resource Identifiers ('Resource Injection')
CVE-2022-28217
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.70% / 49.20%
||
7 Day CHG~0.00%
Published-13 Jun, 2022 | 16:04
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by causing system to crash.

Action-Not Available
Vendor-SAP SE
Product-netweaverSAP NetWeaver (EP Web Page Composer)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-29617
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.79% / 52.09%
||
7 Day CHG~0.00%
Published-06 Jun, 2022 | 19:38
Updated-03 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to improper error handling an authenticated user can crash CLA assistant instance. This could impact the availability of the application.

Action-Not Available
Vendor-SAP SE
Product-contributor_license_agreement_assistantCLA Assistant
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2026-24324
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 25.70%
||
7 Day CHG~0.00%
Published-10 Feb, 2026 | 03:04
Updated-17 Feb, 2026 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools)

SAP BusinessObjects Business Intelligence Platform (AdminTools) allows an authenticated attacker with user privileges to execute a specific query in AdminTools that could cause the Content Management Server (CMS) to crash, rendering the CMS partially or completely unavailable and resulting in the denial of service of the Content Management Server (CMS). Successful exploitation impacts system availability, while confidentiality and integrity remain unaffected.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (AdminTools)
CWE ID-CWE-405
Asymmetric Resource Consumption (Amplification)
CVE-2019-0271
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-1.44% / 70.13%
||
7 Day CHG~0.00%
Published-12 Mar, 2019 | 22:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.

Action-Not Available
Vendor-SAP SE
Product-sap_kerneladvanced_business_application_programming_serveradvanced_business_application_programming_platformABAP ServerABAP Server & Platform
CWE ID-CWE-20
Improper Input Validation
CVE-2020-6362
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-1.04% / 60.18%
||
7 Day CHG+0.01%
Published-20 Oct, 2020 | 13:31
Updated-04 Aug, 2024 | 09:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Banking Services version 500, use an incorrect authorization object in some of its reports. Although the affected reports are protected with otherauthorization objects, exploitation of the vulnerability could lead to privilege escalation and violation in segregation of duties, which in turn could lead to Service interruptions and system unavailability for the victim and users of the component.

Action-Not Available
Vendor-SAP SE
Product-banking_servicesSAP Banking Services
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-26826
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-1.21% / 64.98%
||
7 Day CHG~0.00%
Published-09 Dec, 2020 | 16:30
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver AS JAVA
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-22543
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-7.5||HIGH
EPSS-1.36% / 68.65%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:05
Updated-03 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) - versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49, does not sufficiently validate sap-passport information, which could lead to a Denial-of-Service attack. This allows an unauthorized remote user to provoke a breakdown of the SAP Web Dispatcher or Kernel work process. The crashed process can be restarted immediately, other processes are not affected.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abapnetweaver_abapSAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel)
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-34688
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-7.5||HIGH
EPSS-0.54% / 41.85%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 02:02
Updated-09 Aug, 2024 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)

Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver AS Javanetweaver
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2017-9845
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.50% / 82.94%
||
7 Day CHG~0.00%
Published-12 Jul, 2017 | 16:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-3593
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.61% / 45.11%
||
7 Day CHG+0.10%
Published-17 Jul, 2023 | 15:38
Updated-21 Oct, 2024 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server crash via a specially crafted markdown input

Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-1600
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.20% / 64.61%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 08:40
Updated-17 Sep, 2024 | 02:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: A specific SNMP command can trigger a high CPU usage Denial of Service in the RPD daemon.

In a Point-to-Multipoint (P2MP) Label Switched Path (LSP) scenario, an uncontrolled resource consumption vulnerability in the Routing Protocol Daemon (RPD) in Juniper Networks Junos OS allows a specific SNMP request to trigger an infinite loop causing a high CPU usage Denial of Service (DoS) condition. This issue affects both SNMP over IPv4 and IPv6. This issue affects: Juniper Networks Junos OS: 12.3X48 versions prior to 12.3X48-D90; 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D200; 15.1X53 versions prior to 15.1X53-D238, 15.1X53-D592; 16.1 versions prior to 16.1R7-S5; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R3-S1; 17.2 versions prior to 17.2R3-S2; 17.3 versions prior to 17.3R3-S7; 17.4 versions prior to 17.4R2-S4, 17.4R3; 18.1 versions prior to 18.1R3-S5; 18.2 versions prior to 18.2R3; 18.2X75 versions prior to 18.2X75-D50; 18.3 versions prior to 18.3R2; 18.4 versions prior to 18.4R2; 19.1 versions prior to 19.1R2.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junosJunos OS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2020-14297
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.20% / 64.79%
||
7 Day CHG~0.00%
Published-24 Jul, 2020 | 15:37
Updated-15 Oct, 2024 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable.

Action-Not Available
Vendor-Red Hat, Inc.
Product-single_sign-onopenshift_application_runtimesjboss_fusejboss-ejb-clientamqjboss_enterprise_application_platform_continuous_deliverywildfly
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-13280
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.05% / 60.45%
||
7 Day CHG~0.00%
Published-13 Aug, 2020 | 12:49
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-54995
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.45% / 36.32%
||
7 Day CHG~0.00%
Published-28 Aug, 2025 | 15:08
Updated-03 Nov, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Asterisk remotely exploitable leak of RTP UDP ports and internal resources

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.

Action-Not Available
Vendor-Sangoma Technologies Corp.Asterisk
Product-asteriskcertified_asteriskasterisk
CWE ID-CWE-1286
Improper Validation of Syntactic Correctness of Input
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-20692
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-1.10% / 62.09%
||
7 Day CHG~0.00%
Published-15 Apr, 2022 | 14:16
Updated-06 Nov, 2024 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco IOS XE Software NETCONF Over SSH Denial of Service Vulnerability

A vulnerability in the NETCONF over SSH feature of Cisco IOS XE Software could allow a low-privileged, authenticated, remote attacker to cause a denial of service condition (DoS) on an affected device. This vulnerability is due to insufficient resource management. An attacker could exploit this vulnerability by initiating a large number of NETCONF over SSH connections. A successful exploit could allow the attacker to exhaust resources, causing the device to reload and resulting in a DoS condition on an affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeCisco IOS XE Software
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-5342
Matching Score-4
Assigner-Zohocorp
ShareView Details
Matching Score-4
Assigner-Zohocorp
CVSS Score-4.3||MEDIUM
EPSS-1.04% / 60.07%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 14:20
Updated-07 Nov, 2025 | 01:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DoS)

Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.

Action-Not Available
Vendor-Zoho Corporation Pvt. Ltd.
Product-manageengine_exchange_reporter_plusManageEngine Exchange Reporter Plus
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-53893
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.35% / 27.03%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 17:47
Updated-05 Aug, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Browser Vulnerable to Uncontrolled Memory Consumption Due to Oversized File Processing

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Filebrowser-Server-IP:PORT/files/{file-name}` . While the server correctly handles and stores uploaded files, it attempts to load the entire content into memory during read operations without size checks or resource limits. This allows an authenticated user to upload a large file and trigger uncontrolled memory consumption on read, potentially crashing the server and making it unresponsive. As of time of publication, no known patches are available.

Action-Not Available
Vendor-filebrowserfilebrowser
Product-filebrowserfilebrowser
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2020-11645
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-6.5||MEDIUM
EPSS-1.35% / 68.29%
||
7 Day CHG~0.00%
Published-15 Oct, 2020 | 14:59
Updated-17 Sep, 2024 | 01:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GateManager Denial of Service Vulnerability

A denial of service vulnerability in B&R GateManager 4260 and 9250 versions <9.0.20262 and GateManager 8250 versions <9.2.620236042 allows authenticated users to limit availability of GateManager instances.

Action-Not Available
Vendor-B&R Industrial Automation GmbH
Product-gatemanager_9250_firmwaregatemanager_8250gatemanager_8250_firmwaregatemanager_9250gatemanager_4260gatemanager_4260_firmwareGateManager
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-35329
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.82% / 76.37%
||
7 Day CHG+0.23%
Published-11 Jul, 2023 | 17:02
Updated-01 Jan, 2025 | 01:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Authentication Denial of Service Vulnerability

Windows Authentication Denial of Service Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_21h2windows_10_1809windows_server_2016windows_server_2012windows_10_1507windows_11_21h2windows_10_22h2windows_server_2022windows_11_22h2windows_server_2019windows_10_1607Windows Server 2022Windows 10 Version 1607Windows 11 version 22H2Windows Server 2019 (Server Core installation)Windows 10 Version 1809Windows Server 2016 (Server Core installation)Windows 11 version 21H2Windows Server 2012 (Server Core installation)Windows Server 2016Windows 10 Version 1507Windows 10 Version 21H2Windows Server 2012 R2Windows Server 2012Windows Server 2019Windows Server 2012 R2 (Server Core installation)Windows 10 Version 22H2
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-10005
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.29% / 67.09%
||
7 Day CHG~0.00%
Published-28 Oct, 2021 | 00:00
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A resource exhaustion issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1. An attacker in a privileged network position may be able to perform denial of service.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-7258
Matching Score-4
Assigner-Google LLC
ShareView Details
Matching Score-4
Assigner-Google LLC
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 6.07%
||
7 Day CHG~0.00%
Published-15 May, 2024 | 16:29
Updated-22 Jul, 2025 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial-of-Service in Gvisor

A denial of service exists in Gvisor Sandbox where a bug in reference counting code in mount point tracking could lead to a panic, making it possible for an attacker running as root and with permission to mount volumes to kill the sandbox. We recommend upgrading past commit 6a112c60a257dadac59962e0bc9e9b5aee70b5b6

Action-Not Available
Vendor-Google LLC
Product-gvisorGvisor
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-32341
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.61% / 45.05%
||
7 Day CHG~0.00%
Published-09 Feb, 2024 | 00:58
Updated-02 Aug, 2024 | 15:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling B2B Integrator denial of service

IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 could allow an authenticated user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 255827.

Action-Not Available
Vendor-IBM Corporation
Product-sterling_b2b_integratorSterling B2B Integrator
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-32229
Matching Score-4
Assigner-Robert Bosch GmbH
ShareView Details
Matching Score-4
Assigner-Robert Bosch GmbH
CVSS Score-4.9||MEDIUM
EPSS-0.59% / 44.32%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 10:03
Updated-12 Dec, 2024 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to an error in the software interface to the secure element chip on Bosch IP cameras of family CPP13 and CPP14, the chip can be permanently damaged when enabling the Stream security option (signing of the video stream) with option MD5, SHA-1 or SHA-256.

Action-Not Available
Vendor-Robert Bosch GmbH
Product-flexidome_outdoor_5100i_ircpp13_firmwareautodome_inteox_7000iflexidome_panoramic_5100i_irmic_inteox_7100iflexidome_indoor_5100iflexidome_inteox_7100i_irdinion_7100i_irautodome_7000iflexidome_multi_7000i_irdinion_inteox_7100i_irflexidome_indoor_5100i_ircpp14_firmwareflexidome_outdoor_5100iautodome_7100_irflexidome_multi_7000iflexidome_panoramic_5100iCamera Firmware
CWE ID-CWE-1246
Improper Write Handling in Limited-write Non-Volatile Memories
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-52867
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-6||MEDIUM
EPSS-0.39% / 30.96%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 18:14
Updated-08 Oct, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-6559
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.5||MEDIUM
EPSS-2.40% / 82.19%
||
7 Day CHG~0.00%
Published-05 Mar, 2019 | 21:00
Updated-16 Sep, 2024 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Moxa IKS and EDS allow remote authenticated users to cause a denial of service via a specially crafted packet, which may cause the switch to crash.

Action-Not Available
Vendor-ICS-CERTMoxa Inc.
Product-eds-510aeds-408a_firmwareeds-408aeds-510a_firmwareiks-g6824aeds-405a_firmwareiks-g6824a_firmwareeds-405aMoxa IKS, EDS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-31006
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.89% / 55.40%
||
7 Day CHG~0.00%
Published-03 Feb, 2024 | 01:05
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Access Manager Container denial of service

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server. IBM X-Force ID: 254776.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_access_dockersecurity_verify_accessSecurity Verify Access ApplianceSecurity Verify Access Docker
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-2831
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.68% / 48.21%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 09:06
Updated-06 Dec, 2024 | 22:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service while unescaping a Markdown string

Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2019-4080
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-3.12% / 86.40%
||
7 Day CHG~0.00%
Published-02 Apr, 2019 | 13:20
Updated-16 Sep, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server Admin Console 7.5, 8.0, 8.5, and 9.0 is vulnerable to a potential denial of service, caused by improper parameter parsing. A remote attacker could exploit this to consume all available CPU resources. IBM X-Force ID: 157380.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-26595
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.5||MEDIUM
EPSS-0.53% / 41.52%
||
7 Day CHG~0.00%
Published-23 May, 2023 | 00:00
Updated-28 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Denial-of-service (DoS) vulnerability in Message of Cybozu Garoon 4.10.0 to 5.9.2 allows a remote authenticated attacker to cause a denial of service condition.

Action-Not Available
Vendor-Cybozu, Inc.
Product-garoonCybozu Garoon
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-41115
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.68% / 74.38%
||
7 Day CHG~0.00%
Published-07 Oct, 2021 | 22:20
Updated-04 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Regular expression denial-of-service in Zulip

Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as _itself_ subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should [upgrade to the just-released Zulip 4.7](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-to-a-release), or [`main`](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-from-a-git-repository).

Action-Not Available
Vendor-Kandra Labs, Inc. (Zulip)
Product-zulipzulip
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2023-23296
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.80% / 52.43%
||
7 Day CHG~0.00%
Published-23 Feb, 2023 | 00:00
Updated-17 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to Denial of Service via /goform/formDefault.

Action-Not Available
Vendor-korenixn/a
Product-jetwave_2212xjetwave_3420_v3__firmwarejetwave_2114_firmwarejetwave_2460_firmwarejetwave_2212x_firmwarejetwave_2411l_firmwarejetwave_2111l_firmwarejetwave_2211c_firmwarejetwave_4221hp-e__firmwarejetwave_3420_v3jetwave_2411ljetwave_2111jetwave_2111ljetwave_2212gjetwave_2414jetwave_4221hp-ejetwave_2411jetwave_2414_firmwarejetwave_2114jetwave_2212g_firmwarejetwave_2424_firmwarejetwave_2411_firmwarejetwave_2212s_firmwarejetwave_2111_firmwarejetwave_2460jetwave_2211cjetwave_3220_v3jetwave_2212sjetwave_3220_v3__firmwaren/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-46392
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-1.66% / 74.09%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 09:34
Updated-13 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Commons Configuration: Uncontrolled Resource Consumption when loading untrusted configurations in 1.x

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations. Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.

Action-Not Available
Vendor-The Apache Software Foundation
Product-Apache Commons Configuration
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-20863
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-1.12% / 62.58%
||
7 Day CHG~0.00%
Published-13 Apr, 2023 | 00:00
Updated-07 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-spring_frameworkSpring Framework
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-8769
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.56% / 42.89%
||
7 Day CHG~0.00%
Published-17 May, 2026 | 23:00
Updated-19 May, 2026 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vercel ai provider-utils response-handler.ts createJsonErrorResponseHandler resource consumption

A vulnerability was determined in vercel ai up to 3.0.97. The impacted element is the function createJsonResponseHandler/createJsonErrorResponseHandler of the file packages/provider-utils/src/response-handler.ts of the component provider-utils. This manipulation causes resource consumption. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-vercelvercel
Product-aiai
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-404
Improper Resource Shutdown or Release
CVE-2021-38465
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8||HIGH
EPSS-0.79% / 52.12%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 11:23
Updated-16 Sep, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AUVESY Versiondog

The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. Resource consumption can be achieved by generating large amounts of installations, which are then saved without limitation in the temp folder of the webinstaller executable.

Action-Not Available
Vendor-auvesyAUVESY
Product-versiondogVersiondog
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-9602
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.24% / 14.35%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 10:03
Updated-17 Jul, 2026 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mattermost Desktop App crashes when malformed arguments are provided to some exposed IPC methods

Mattermost Desktop App versions <=6.2 6.0.2 5.6.13.0 fail to validate payloads sent from the Mattermost Web App to the Desktop App which allows a malicious server owner to crash the Mattermost Desktop App via changing the payload of a method to a malformed one. Mattermost Advisory ID: MMSA-2026-00678

Action-Not Available
Vendor-Mattermost, Inc.
Product-Mattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-20155
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.67% / 47.83%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 16:48
Updated-26 Nov, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in a logging API in Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause the device to become unresponsive or trigger an unexpected reload. This vulnerability could also allow an attacker with valid user credentials, but not Administrator privileges, to view a system log file that they would not normally have access to. This vulnerability is due to a lack of rate-limiting of requests that are sent to a specific API that is related to an FMC log. An attacker could exploit this vulnerability by sending a high rate of HTTP requests to the API. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to the FMC CPU spiking to 100 percent utilization or to the device reloading. CPU utilization would return to normal if the attack traffic was stopped before an unexpected reload was triggered.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_firewall_management_centerCisco Firepower Management Center
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2019-16671
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.93% / 77.75%
||
7 Day CHG~0.00%
Published-06 Dec, 2019 | 17:06
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption.

Action-Not Available
Vendor-weidmuellern/a
Product-ie-sw-pl18mt-2gc14tx2stie-sw-pl18mt-2gc14tx2st_firmwareie-sw-pl16mt-16tx_firmwareie-sw-pl10m-1gt-2gs-7tx_firmwareie-sw-pl08m-8txie-sw-vl05mt-3tx-2scie-sw-vl05mt-3tx-2sc_firmwareie-sw-pl18m-2gc14tx2scie-sw-vl05mt-5txie-sw-pl08m-6tx-2st_firmwareie-sw-vl08mt-6tx-2stie-sw-pl18m-2gc14tx2scsie-sw-pl08mt-8txie-sw-pl18mt-2gc14tx2scsie-sw-pl16mt-14tx-2stie-sw-vl05m-5txie-sw-pl16mt-16txie-sw-pl16mt-14tx-2sc_firmwareie-sw-pl18m-2gc14tx2scs_firmwareie-sw-pl08mt-6tx-2st_firmwareie-sw-pl16m-16tx_firmwareie-sw-vl08mt-6tx-2scsie-sw-pl10m-3gt-7tx_firmwareie-sw-vl05m-3tx-2sc_firmwareie-sw-pl08m-6tx-2sc_firmwareie-sw-pl08m-6tx-2stie-sw-pl08m-8tx_firmwareie-sw-pl08m-6tx-2scs_firmwareie-sw-pl09m-5gc-4gtie-sw-pl18m-2gc-16tx_firmwareie-sw-vl08mt-6tx-2sc_firmwareie-sw-pl09mt-5gc-4gtie-sw-vl05m-3tx-2st_firmwareie-sw-vl08mt-6tx-2scie-sw-pl18mt-2gc-16tx_firmwareie-sw-pl10m-3gt-7txie-sw-pl16m-16txie-sw-pl10mt-3gt-7txie-sw-pl08mt-6tx-2sc_firmwareie-sw-pl08mt-6tx-2scie-sw-pl18mt-2gc14tx2scs_firmwareie-sw-pl08mt-8tx_firmwareie-sw-pl18mt-2gc-16txie-sw-pl16m-14tx-2stie-sw-pl18m-2gc14tx2stie-sw-vl05mt-3tx-2st_firmwareie-sw-pl16m-14tx-2scie-sw-pl18m-2gc-16txie-sw-vl08mt-5tx-1sc-2scsie-sw-pl16mt-14tx-2st_firmwareie-sw-pl18m-2gc14tx2sc_firmwareie-sw-pl10mt-1gt-2gs-7tx_firmwareie-sw-pl08m-6tx-2scie-sw-pl08m-6tx-2scsie-sw-pl09m-5gc-4gt_firmwareie-sw-vl08mt-6tx-2st_firmwareie-sw-pl08mt-6tx-2stie-sw-pl16mt-14tx-2scie-sw-pl18m-2gc14tx2st_firmwareie-sw-vl08mt-5tx-3sc_firmwareie-sw-pl10mt-3gt-7tx_firmwareie-sw-pl18mt-2gc14tx2sc_firmwareie-sw-pl09mt-5gc-4gt_firmwareie-sw-pl16m-14tx-2sc_firmwareie-sw-vl05mt-5tx_firmwareie-sw-pl10m-1gt-2gs-7txie-sw-vl08mt-6tx-2scs_firmwareie-sw-pl10mt-1gt-2gs-7txie-sw-vl05m-3tx-2scie-sw-vl08mt-8tx_firmwareie-sw-pl18mt-2gc14tx2scie-sw-vl08mt-8txie-sw-pl08mt-6tx-2scsie-sw-pl16m-14tx-2st_firmwareie-sw-vl05mt-3tx-2stie-sw-vl08mt-5tx-3scie-sw-vl08mt-5tx-1sc-2scs_firmwareie-sw-vl05m-3tx-2stie-sw-pl08mt-6tx-2scs_firmwareie-sw-vl05m-5tx_firmwaren/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 6
  • 7
  • Next
Details not found