CWE-400— Uncontrolled Resource Consumption (Denial of Service)
3,206 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-400page 4 of 65
- CVE-2016-9596MEDIUMCVSS 6.5EG 6.52018-08-16
libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incor…
- CVE-2017-0938HIGHCVSS 7.5EG 7.52019-02-12
Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.
- CVE-2017-1000476MEDIUMCVSS 6.5EG 6.52018-01-03
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
- CVE-2017-12090HIGHCVSS 7.7EG 7.52018-04-05
An exploitable denial of service vulnerability exists in the processing of snmp-set commands of the Allen Bradley Micrologix 1400 Series B FRN 21.2 and below. A specially crafted snmp-set request, when sent without associated firmware flas…
- CVE-2017-12093MEDIUMCVSS 5.3EG 7.52018-04-05
An exploitable insufficient resource pool vulnerability exists in the session communication functionality of Allen Bradley Micrologix 1400 Series B Firmware 21.2 and before. A specially crafted stream of packets can cause a flood of the se…
- CVE-2017-12174HIGHCVSS 7.5EG 7.52018-03-07
It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full …
- CVE-2017-12237HIGHCVSS 7.5EG 9.0⚠ KEV2017-09-29
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS 15.0 through 15.6 and Cisco IOS XE 3.5 through 16.5 could allow an unauthenticated, remote attacker to cause high CPU utilization, traceback messages, or a …
- CVE-2017-12804MEDIUMCVSS 6.5EG 6.52019-05-09
The iwgif_init_screen function in imagew-gif.c:510 in ImageWorsener 1.3.2 allows remote attackers to cause a denial of service (hmemory exhaustion) via a crafted file.
- CVE-2017-12805HIGHCVSS 7.5EG 7.52019-05-09
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
- CVE-2017-12806HIGHCVSS 7.5EG 7.52019-05-09
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
- CVE-2017-13211HIGHCVSS 7.5EG 7.52018-01-12
In bta_scan_results_cb_impl of btif_ble_scanner.cc, there is possible resource exhaustion if a large number of repeated BLE scan results are received. This could lead to a remote denial of service of a critical system process with no addit…
- CVE-2017-13233MEDIUMCVSS 6.5EG 6.52018-02-12
In ihevcd_ctb_boundary_strength_pbslice of libhevc, there is possible resource exhaustion. This could lead to a remote temporary denial of service with no additional execution privileges needed. User interaction is needed for exploitation.…
- CVE-2017-14177HIGHCVSS 7.8EG 7.82018-02-02
Apport through 2.20.7 does not properly handle core dumps from setuid binaries allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain ro…
- CVE-2017-14179HIGHCVSS 7.8EG 7.82018-02-02
Apport before 2.13 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gai…
- CVE-2017-14180HIGHCVSS 7.8EG 7.82018-02-02
Apport 2.13 through 2.20.7 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or po…
- CVE-2017-15119MEDIUMCVSS 5.8EG 8.62018-07-27
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request…
- CVE-2017-15130MEDIUMCVSS 5.9EG 5.92018-03-02
A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
- CVE-2017-15132HIGHCVSS 7.5EG 7.52018-01-25
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login proce…
- CVE-2017-15133HIGHCVSS 7.5EG 7.52018-01-29
A denial of service flaw was found in miekg-dns before 1.0.4. A remote attacker could use carefully timed TCP packets to block the DNS server from accepting new connections.
- CVE-2017-15323MEDIUMCVSS 5.5EG 5.52018-03-09
Huawei DP300 V500R002C00, NIP6600 V500R001C00, V500R001C20, V500R001C30, Secospace USG6500 V500R001C00, V500R001C20, V500R001C30, TE60 V100R001C01, V100R001C10, V100R003C00, V500R002C00, V600R006C00, TP3106 V100R001C06, V100R002C00, VP9660…
- CVE-2017-15345MEDIUMCVSS 5.3EG 5.32018-02-15
Huawei Smartphones with software LON-L29DC721B186 have a denial of service vulnerability. An attacker could make an loop exit condition that cannot be reached by sending the crafted 3GPP message. Successful exploit could cause the device t…
- CVE-2017-16013HIGHCVSS 7.5EG 7.52018-06-04
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeou…
- CVE-2017-16021MEDIUMCVSS 6.5EG 6.52018-06-04
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. Thi…
- CVE-2017-16023HIGHCVSS 7.5EG 7.52018-06-04
Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denia…
- CVE-2017-16025MEDIUMCVSS 5.9EG 5.92018-06-04
Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set…
- CVE-2017-16030HIGHCVSS 7.5EG 7.52018-06-04
Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This…
- CVE-2017-16086HIGHCVSS 7.5EG 7.52018-06-07
ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.
- CVE-2017-16098HIGHCVSS 7.5EG 7.52018-06-07
charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default h…
- CVE-2017-16099HIGHCVSS 7.5EG 7.52018-06-07
The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.
- CVE-2017-16111HIGHCVSS 7.5EG 7.52018-06-07
The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-T…
- CVE-2017-16113HIGHCVSS 7.5EG 7.52018-06-07
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
- CVE-2017-16114HIGHCVSS 7.5EG 7.52018-06-07
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
- CVE-2017-16115HIGHCVSS 7.5EG 7.52018-06-07
The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.
- CVE-2017-16116HIGHCVSS 7.5EG 7.52018-06-07
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML metho…
- CVE-2017-16117HIGHCVSS 7.5EG 7.52018-06-07
slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seco…
- CVE-2017-16118HIGHCVSS 7.5EG 7.52018-06-07
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be b…
- CVE-2017-16119HIGHCVSS 7.5EG 7.52018-06-07
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked…
- CVE-2017-16129MEDIUMCVSS 5.9EG 5.92018-06-07
The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care …
- CVE-2017-16136HIGHCVSS 7.5EG 7.52018-06-07
method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerabili…
- CVE-2017-16137MEDIUMCVSS 5.3EG 5.32018-06-07
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
- CVE-2017-16138HIGHCVSS 7.5EG 7.52018-06-07
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
- CVE-2017-17166MEDIUMCVSS 5.3EG 5.32018-02-15
Huawei DP300 V500R002C00, Secospace USG6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, TP3…
- CVE-2017-17290HIGHCVSS 7.5EG 7.52018-02-15
The Light Directory Access Protocol (LDAP) clients of Huawei TE60 with software V600R006C00, ViewPoint 9030 with software V100R011C02, V100R011C03 have a resource management errors vulnerability. An unauthenticated, remote attacker may mak…
- CVE-2017-1794HIGHCVSS 7.5EG 7.52018-09-19
IBM Tivoli Monitoring 6.2.3 through 6.2.3.5 and 6.3.0 through 6.3.0.7 are vulnerable to both TEPS user privilege escalation and possible denial of service due to unconstrained memory growth. IBM X-Force ID: 137039.
- CVE-2017-18214HIGHCVSS 7.5EG 7.52018-03-04
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
- CVE-2017-18299MEDIUMCVSS 5.5EG 5.52018-10-23
Improper translation table consolidation logic leads to resource exhaustion and QSEE error in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in version MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 43…
- CVE-2017-3140LOWCVSS 3.7EG 5.92019-01-16
If named is configured to use Response Policy Zones (RPZ) an error processing some rule types can lead to a condition where BIND will endlessly loop while handling a query. Affects BIND 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, 9.10.5-S1.
- CVE-2017-3144HIGHCVSS 7.5EG 7.52019-01-16
A vulnerability stemming from failure to properly clean up closed OMAPI connections can lead to exhaustion of the pool of socket descriptors available to the DHCP server. Affects ISC DHCP 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, 4.3.0 to 4.3.…
- CVE-2017-3768HIGHCVSS 7.5EG 7.52018-01-26
An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authen…
- CVE-2017-5693HIGHCVSS 7.5EG 7.52018-07-31
Firmware in the Intel Puma 5, 6, and 7 Series might experience resource depletion or timeout, which allows a network attacker to create a denial of service via crafted network traffic.
Map vulnerabilities like CWE-400 to your infrastructure
EchelonGraph correlates every CVE — across CWE-400 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →