Vulnerabilities (CVE)

Filtered by CWE-400
Total 1407 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-23323 1 Envoyproxy 1 Envoy 2024-02-15 N/A 5.3 MEDIUM
Envoy is a high-performance edge/middle/service proxy. The regex expression is compiled for every request and can result in high CPU usage and increased request latency when multiple routes are configured with such matchers. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-32341 1 Ibm 1 Sterling B2b Integrator 2024-02-15 N/A 6.5 MEDIUM
IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 could allow an authenticated user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 255827.
CVE-2017-16021 1 Garycourt 1 Uri-js 2024-02-15 6.8 MEDIUM 6.5 MEDIUM
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.
CVE-2023-25769 2024-02-14 N/A 5.5 MEDIUM
Uncontrolled resource consumption in some Intel(R) Thunderbolt(TM) DCH drivers for Windows before version 88 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-23952 2024-02-14 N/A 6.5 MEDIUM
This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset. Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.   This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.
CVE-2023-46104 1 Apache 1 Superset 2024-02-14 N/A 6.5 MEDIUM
Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.   This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.
CVE-2013-7428 1 Mapsplugin 1 Googlemaps 2024-02-14 5.0 MEDIUM 7.5 HIGH
The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to cause a denial of service via the url parameter to plugin_googlemap2_proxy.php.
CVE-2024-24781 2024-02-13 N/A 7.5 HIGH
An unauthenticated remote attacker can use an uncontrolled resource consumption vulnerability to DoS the affected devices through excessive traffic on a single ethernet port. 
CVE-2023-22819 1 Westerndigital 24 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 21 more 2024-02-13 N/A 4.9 MEDIUM
An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.5.1-104; ibi: before 9.5.1-104; My Cloud OS 5: before 5.27.161.
CVE-2024-25112 2024-02-13 N/A 5.5 MEDIUM
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function, `QuickTimeVideo::multipleEntriesDecoder`, was new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted video file. This bug is fixed in version v0.28.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-25452 1 Axiosys 1 Bento4 2024-02-12 N/A 5.5 MEDIUM
Bento4 v1.6.0-640 was discovered to contain an out-of-memory bug via the AP4_UrlAtom::AP4_UrlAtom() function.
CVE-2024-25451 1 Axiosys 1 Bento4 2024-02-12 N/A 6.5 MEDIUM
Bento4 v1.6.0-640 was discovered to contain an out-of-memory bug via the AP4_DataBuffer::ReallocateBuffer() function.
CVE-2024-23824 1 Mailcow 1 Mailcow\ 2024-02-10 N/A 2.7 LOW
mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01.
CVE-2008-4077 2 Ledgersmb, Sql-ledger 2 Ledgersmb, Sql-ledger 2024-02-09 7.8 HIGH N/A
The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large Content-Length.
CVE-2024-24752 1 Mnapoli 1 Bref 2024-02-09 N/A 6.5 MEDIUM
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`. The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed. An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files. This vulnerability is patched in 2.1.13.
CVE-2024-24943 1 Jetbrains 1 Toolbox 2024-02-09 N/A 5.5 MEDIUM
In JetBrains Toolbox App before 2.2 a DoS attack was possible via a malicious SVG image
CVE-2021-21317 1 Uap-core Project 1 Uap-core 2024-02-08 5.0 MEDIUM 5.3 MEDIUM
uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.
CVE-2024-25143 2024-02-07 N/A 6.5 MEDIUM
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.
CVE-2023-31006 1 Ibm 2 Security Verify Access, Security Verify Access Docker 2024-02-07 N/A 7.5 HIGH
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server. IBM X-Force ID: 254776.
CVE-2023-30999 1 Ibm 2 Security Verify Access, Security Verify Access Docker 2024-02-06 N/A 7.5 HIGH
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 254651.