Total
940 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4723 | 1 Ikus-soft | 1 Rdiffweb | 2023-01-05 | N/A | 6.5 MEDIUM |
| Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5. | |||||
| CVE-2022-26336 | 2 Apache, Netapp | 2 Poi, Active Iq Unified Manager | 2022-12-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1. | |||||
| CVE-2020-14322 | 1 Moodle | 1 Moodle | 2022-12-07 | N/A | 7.5 HIGH |
| In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service. | |||||
| CVE-2020-28491 | 3 Fasterxml, Oracle, Quarkus | 3 Jackson-dataformats-binary, Weblogic Server, Quarkus | 2022-12-06 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception. | |||||
| CVE-2020-35896 | 1 Ws-rs Project | 1 Ws-rs | 2022-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack. | |||||
| CVE-2019-4338 | 1 Ibm | 1 Security Guardium Big Data Intelligence | 2022-12-02 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Security Guardium Big Data Intelligence 4.0 (SonarG) does not properly restrict the size or amount of resources that are requested or influenced by an actor. This weakness can be used to consume more resources than intended. IBM X-Force ID: 161417. | |||||
| CVE-2021-32476 | 1 Moodle | 1 Moodle | 2022-12-02 | 5.0 MEDIUM | 7.5 HIGH |
| A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||||
| CVE-2022-41921 | 1 Discourse | 1 Discourse | 2022-12-01 | N/A | 4.3 MEDIUM |
| Discourse is an open-source discussion platform. Prior to version 2.9.0.beta13, users can post chat messages of an unlimited length, which can cause a denial of service for other users when posting huge amounts of text. Users should upgrade to version 2.9.0.beta13, where a limit has been introduced. No known workarounds are available. | |||||
| CVE-2019-10171 | 2 Fedoraproject, Redhat | 2 389 Directory Server, Enterprise Linux Server Eus | 2022-11-30 | 7.8 HIGH | 7.5 HIGH |
| It was found that the fix for CVE-2018-14648 in 389-ds-base, versions 1.4.0.x before 1.4.0.17, was incorrectly applied in RHEL 7.5. An attacker would still be able to provoke excessive CPU consumption leading to a denial of service. | |||||
| CVE-2022-4044 | 1 Mattermost | 1 Mattermost | 2022-11-26 | N/A | 6.5 MEDIUM |
| A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages. | |||||
| CVE-2022-45471 | 1 Jetbrains | 1 Hub | 2022-11-21 | N/A | 7.5 HIGH |
| In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address | |||||
| CVE-2022-25169 | 2 Apache, Oracle | 2 Tika, Primavera Unifier | 2022-11-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. | |||||
| CVE-2021-38465 | 1 Auvesy | 1 Versiondog | 2022-10-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. Resource consumption can be achieved by generating large amounts of installations, which are then saved without limitation in the temp folder of the webinstaller executable. | |||||
| CVE-2021-38463 | 1 Auvesy | 1 Versiondog | 2022-10-27 | 5.5 MEDIUM | 8.1 HIGH |
| The affected product does not properly control the allocation of resources. A user may be able to allocate unlimited memory buffers using API functions. | |||||
| CVE-2020-19464 | 1 Flowpaper | 1 Pdf2json | 2022-10-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue has been found in function XRef::fetch in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a stack overflow . | |||||
| CVE-2020-19463 | 1 Flowpaper | 1 Pdf2json | 2022-10-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue has been found in function vfprintf in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a stack overflow. | |||||
| CVE-2021-32699 | 1 Pterodactyl | 1 Wings | 2022-10-25 | 2.1 LOW | 6.5 MEDIUM |
| Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intended and cause downstream impacts to other clients on the same hardware, eventually causing the physical server to stop responding. Users should upgrade to `1.4.4` to mitigate the issue. There is no non-code based workaround for impacted versions of the software. Users running customized versions of this software can manually set a PID limit for containers created. | |||||
| CVE-2021-21293 | 1 Typelevel | 1 Blaze | 2022-10-25 | 5.0 MEDIUM | 7.5 HIGH |
| blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. The issue is fixed in version 0.14.15 for "NIO1SocketServerGroup". A "maxConnections" parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number. The "NIO2SocketServerGroup" has no such setting and is now deprecated. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xmw9-q7x9-j5qc. | |||||
| CVE-2021-21294 | 1 Typelevel | 1 Http4s | 2022-10-24 | 5.0 MEDIUM | 7.5 HIGH |
| Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general "MaxActiveRequests" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new "maxConnections" property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w. | |||||
| CVE-2022-34439 | 1 Dell | 1 Emc Powerscale Onefs | 2022-10-24 | N/A | 7.5 HIGH |
| Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node. | |||||