XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
An issue was discovered in Technitium 11.0.2. There is a vulnerability (called BadDNS) in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing DoS (denial of service) for normal resolution. The effects of an exploit would be widespread and highly impactful, because the attacker could just forge a response targeting the source port of a vulnerable resolver without the need to guess the correct TXID.
Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the "Recent Uploads" page allows arbitrary RegExes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9.
Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R00/01/02CPU all versions, R04/08/16/32/120(EN)CPU all versions, R08/16/32/120SFCPU all versions, R08/16/32/120PCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to prevent legitimate clients from connecting to the MELSOFT transmission port (TCP/IP) by not closing a connection properly, which may lead to a denial of service (DoS) condition.
The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing.
ColossusCoinXT through 1.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.
stratisX through 2.0.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
CloakCoin through 2.2.2.0 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
neblio through 1.5.1 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
lux through 5.2.2 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
HTMLCOIN through 2.12 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.
reddcoin through 2.1.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142.
PIVX through 3.1.03 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
Incorrect access control in the RTMP server settings of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to cause a Denial of Service (DoS) via initiating a large number of simultaneous ffmpeg-based stream pushes.
A flaw was found in Privoxy in versions before 3.0.31. A memory leak that occurs when decompression fails unexpectedly may lead to a denial of service. The highest threat from this vulnerability is to system availability.
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the hostname parameter at /boafrm/formMapDelDevice. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
qtum through 0.16 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.
alqo through 4.1 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
particl through 0.17 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.
Phore through 1.3.3.1 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
Uncontrolled Resource Consumption vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Excessive Allocation.This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Divi through 4.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
emercoin through 0.7 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.
Bitcoin Core 0.16.x before 0.16.2 and Bitcoin Knots 0.16.x before 0.16.2 allow remote denial of service via a flood of multiple transaction inv messages with random hashes, aka INVDoS. NOTE: this can also affect other cryptocurrencies, e.g., if they were forked from Bitcoin Core after 2017-11-15.
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Zimbra Collaboration (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in the Admin Console. An unauthenticated remote attacker can send specially crafted GET requests that trigger redundant processing and inflated responses. This leads to uncontrolled resource consumption, resulting in denial of service.
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device. This vulnerability is due to insufficient resource management when establishing TLS/SSL sessions. An attacker could exploit this vulnerability by sending a series of crafted TLS/SSL messages to the VPN server of an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to stop accepting new connections, preventing new SSL VPN connections from being established. Existing SSL VPN sessions are not impacted. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention.
Uncontrolled resource consumption in Windows Remote Desktop Services allows an unauthorized attacker to deny service over a network.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth. When parsing file imports, recursion is used to process nested files; however, there is no limit imposed to the depth of files that can be parsed by the library. By building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion. This is fixed in version 1.39.3.
mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors.
A flaw was found in StarWind iSCSI target. An attacker could script standard iSCSI Initiator operation(s) to exhaust the StarWind service socket, which could lead to denial of service. This affects iSCSI SAN (Windows Native) Version 3.2.2 build 2007-02-20.
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.
Uncontrolled resource consumption in Windows Netlogon allows an unauthorized attacker to deny service over a network.
parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Attackers can exploit the `/open_code_in_vs_code` and similar endpoints without authentication by sending repeated HTTP POST requests, leading to the opening of Visual Studio Code or the default folder opener (e.g., File Explorer, xdg-open) multiple times. This can render the host machine unusable by exhausting system resources. The vulnerability is present in the latest version of the software.
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.
A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.
jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker. quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.
A vulnerability in the Cisco IOx Application Framework of Cisco 809 Industrial Integrated Services Routers (Industrial ISRs), Cisco 829 Industrial ISRs, Cisco CGR 1000 Compute Module, and Cisco IC3000 Industrial Compute Gateway could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient error handling during packet processing. An attacker could exploit this vulnerability by sending a high and sustained rate of crafted TCP traffic to the IOx web server on an affected device. A successful exploit could allow the attacker to cause the IOx web server to stop processing requests, resulting in a DoS condition.
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00470c50 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_mac_filter_set in the payload, which can cause the program to crash and lead to a Denial of Service (DoS) attack.