CWE-772
AllowedMissing Release of Resource after Effective Lifetime
Abstraction: Base · Status: Draft
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
567 vulnerabilities reference this CWE, most recent first.
CVE-2025-36128 (GCVE-0-2025-36128)
Vulnerability from cvelistv5 – Published: 2025-10-16 16:49 – Updated: 2025-10-16 18:13- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7244480 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | MQ |
Affected:
9.1
Affected: 9.2 Affected: 9.3 Affected: 9.4 cpe:2.3:a:ibm:mq:9.1.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.2.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.3.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.4.0:*:*:*:lts:*:*:* |
|
| IBM | MQ |
Affected:
9.3
Affected: 9.4 cpe:2.3:a:ibm:mq:9.3.0:*:*:*:continuous_delivery:*:*:* cpe:2.3:a:ibm:mq:9.4.0:*:*:*:continuous_delivery:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:03:23.348860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:13:32.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:mq:9.1.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.2.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.3.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.4.0:*:*:*:lts:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MQ",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "9.1"
},
{
"status": "affected",
"version": "9.2"
},
{
"status": "affected",
"version": "9.3"
},
{
"status": "affected",
"version": "9.4"
}
],
"x_SWEdition": "LTS"
},
{
"cpes": [
"cpe:2.3:a:ibm:mq:9.3.0:*:*:*:continuous_delivery:*:*:*",
"cpe:2.3:a:ibm:mq:9.4.0:*:*:*:continuous_delivery:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MQ",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "9.3"
},
{
"status": "affected",
"version": "9.4"
}
],
"x_SWEdition": "CD"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service."
}
],
"value": "IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T16:49:26.251Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7244480"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo secure IBM WebSphere Liberty profile shipped with IBM MQ from Slowloris DDoS attacks, use one of the following methods:\u003c/p\u003e\u003cp\u003e1. Load Balancer Configuration\u003c/p\u003e\u003cp\u003eIf the setup involves a load balancer in front of the IBM WebSphere Liberty profile of IBM MQ, configure the load balancer to handle Slowloris-style attacks. A load balancer acts as an intermediary between clients and Liberty, distributing incoming requests across multiple backend servers.\u003c/p\u003e\u003cp\u003eBy using hardware load balancers with properly configured HTTP profiles, only complete and valid HTTP requests are forwarded to the web server, effectively filtering out the partial requests caused by Slowloris. This approach helps to prevent the attack from overwhelming the server, allowing it to continue serving legitimate traffic. Refer to IBM WebSphere Liberty documentation for configuration details.\u003c/p\u003e\u003cp\u003e2. Reverse Proxy\u003c/p\u003e\u003cp\u003eConsider using a reverse proxy to handle client requests. The reverse proxy can implement various security measures, including request buffering and handling connection timeouts, to mitigate Slowloris attacks.\u003c/p\u003e\u003cp\u003e3. Web Application Firewall (WAF)\u003c/p\u003e\u003cp\u003eDeploy a Web Application Firewall that can detect and block Slowloris-style attacks. A WAF can analyze incoming traffic, identify suspicious patterns indicative of Slowloris attacks, and block such requests before they reach the application server.\u003c/p\u003e\u003cp\u003e4. Limit Concurrent Connections\u003c/p\u003e\u003cp\u003eImplement a limit on the number of concurrent connections allowed from a single IP address or source. This helps to prevent an attack from establishing numerous connections and consuming all available server resources.\u003c/p\u003e\u003cp\u003e5. Traffic Rate Limiting\u003c/p\u003e\u003cp\u003eImplement rate-limiting mechanisms on the server to restrict the number of requests from a single IP address or source within a specific time frame. This method helps to prevent an attack from sending a pool of requests in a short period.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "To secure IBM WebSphere Liberty profile shipped with IBM MQ from Slowloris DDoS attacks, use one of the following methods:\n\n1. Load Balancer Configuration\n\nIf the setup involves a load balancer in front of the IBM WebSphere Liberty profile of IBM MQ, configure the load balancer to handle Slowloris-style attacks. A load balancer acts as an intermediary between clients and Liberty, distributing incoming requests across multiple backend servers.\n\nBy using hardware load balancers with properly configured HTTP profiles, only complete and valid HTTP requests are forwarded to the web server, effectively filtering out the partial requests caused by Slowloris. This approach helps to prevent the attack from overwhelming the server, allowing it to continue serving legitimate traffic. Refer to IBM WebSphere Liberty documentation for configuration details.\n\n2. Reverse Proxy\n\nConsider using a reverse proxy to handle client requests. The reverse proxy can implement various security measures, including request buffering and handling connection timeouts, to mitigate Slowloris attacks.\n\n3. Web Application Firewall (WAF)\n\nDeploy a Web Application Firewall that can detect and block Slowloris-style attacks. A WAF can analyze incoming traffic, identify suspicious patterns indicative of Slowloris attacks, and block such requests before they reach the application server.\n\n4. Limit Concurrent Connections\n\nImplement a limit on the number of concurrent connections allowed from a single IP address or source. This helps to prevent an attack from establishing numerous connections and consuming all available server resources.\n\n5. Traffic Rate Limiting\n\nImplement rate-limiting mechanisms on the server to restrict the number of requests from a single IP address or source within a specific time frame. This method helps to prevent an attack from sending a pool of requests in a short period."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM MQ denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36128",
"datePublished": "2025-10-16T16:49:26.251Z",
"dateReserved": "2025-04-15T21:16:18.171Z",
"dateUpdated": "2025-10-16T18:13:32.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36071 (GCVE-0-2025-36071)
Vulnerability from cvelistv5 – Published: 2025-07-29 18:27 – Updated: 2025-07-29 19:32- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7240955 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | IBM Db2 |
Affected:
11.5.0 , ≤ 11.5.9
(semver)
Affected: 12.1.0 , ≤ 12.1.2 (semver) cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:zos:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:zos:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:zos:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:zos:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:zos:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-29T19:32:03.369341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T19:32:16.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:zos:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:zos:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:zos:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:zos:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:zos:*:*"
],
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"Unix",
"AIX",
"z/OS"
],
"product": "IBM Db2",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.5.9",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.1.2",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query due to improper release of memory resources."
}
],
"value": "IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query due to improper release of memory resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T18:27:40.227Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7240955"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Customers running any vulnerable affected level of an affected Program V11.5, and V12.1 can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent affected level for each impacted release: V11.5.9, V12.1.1 and V12.1.2. They can be applied to any affected mod pack level of the appropriate release to remediate this vulnerability.\u003cbr\u003e\u003cbr\u003e \u003cbr\u003e\u003cbr\u003eRelease Fixed in mod pack APAR Download URL\u003cbr\u003eV11.5 TBD DT425663 \u003cbr\u003eSpecial Build #62071 or later for V11.5.9 available at this link:\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7087189\"\u003ehttps://www.ibm.com/support/pages/node/7087189\u003c/a\u003e\u003cbr\u003eV12.1 V12.1.2 DT425663 \u003cbr\u003eSpecial Build #62100 or later for V12.1.1 available at this link:\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/db2-v1211-published-cumulative-special-build-downloads#52441\"\u003ehttps://www.ibm.com/support/pages/db2-v1211-published-cumulative-special-build-downloads#52441\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e12.1.2 Latest:\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads\"\u003ehttps://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e \u003cbr\u003e\u003cbr\u003eIBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.\u003cbr\u003e\u003cbr\u003eNote: After December 31, 2025, 11.1 and 10.5 versions of Db2 will not have security fixes made available as they will reach EoS.\u003cbr\u003e"
}
],
"value": "Customers running any vulnerable affected level of an affected Program V11.5, and V12.1 can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent affected level for each impacted release: V11.5.9, V12.1.1 and V12.1.2. They can be applied to any affected mod pack level of the appropriate release to remediate this vulnerability.\n\n \n\nRelease Fixed in mod pack APAR Download URL\nV11.5 TBD DT425663 \nSpecial Build #62071 or later for V11.5.9 available at this link:\n\n https://www.ibm.com/support/pages/node/7087189 \nV12.1 V12.1.2 DT425663 \nSpecial Build #62100 or later for V12.1.1 available at this link:\n\n https://www.ibm.com/support/pages/db2-v1211-published-cumulative-special-build-downloads#52441 \n\n12.1.2 Latest:\n\n https://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads \n\n \n\nIBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.\n\nNote: After December 31, 2025, 11.1 and 10.5 versions of Db2 will not have security fixes made available as they will reach EoS."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36071",
"datePublished": "2025-07-29T18:27:40.227Z",
"dateReserved": "2025-04-15T21:16:13.121Z",
"dateUpdated": "2025-07-29T19:32:16.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30256 (GCVE-0-2025-30256)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:09 – Updated: 2025-11-03 18:09- CWE-772 - Missing Release of Resource after Effective Lifetime
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:52:56.661921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:12:34.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:09:00.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2166"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AC6 V5.0",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "V02.03.01.110"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Lilith \u0026gt;_\u0026gt; of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability exists in the HTTP Header Parsing functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted series of HTTP requests can lead to a reboot. An attacker can send multiple network packets to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:09:06.026Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2166",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2166"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2025-30256",
"datePublished": "2025-08-20T13:09:06.026Z",
"dateReserved": "2025-03-31T11:59:44.601Z",
"dateUpdated": "2025-11-03T18:09:00.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27421 (GCVE-0-2025-27421)
Vulnerability from cvelistv5 – Published: 2025-03-03 16:19 – Updated: 2025-03-03 16:41| URL | Tags |
|---|---|
| https://github.com/JasonLovesDoggo/abacus/securit… | x_refsource_CONFIRM |
| https://github.com/JasonLovesDoggo/abacus/commit/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| JasonLovesDoggo | abacus |
Affected:
< 1.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27421",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T16:40:35.160534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T16:41:28.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "abacus",
"vendor": "JasonLovesDoggo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server\u0027s Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely. This vulnerability is fixed in 1.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T16:19:23.914Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/JasonLovesDoggo/abacus/security/advisories/GHSA-vh64-54px-qgf8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/JasonLovesDoggo/abacus/security/advisories/GHSA-vh64-54px-qgf8"
},
{
"name": "https://github.com/JasonLovesDoggo/abacus/commit/898ff1204e11317cc161240b660e63eed5a72b33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/JasonLovesDoggo/abacus/commit/898ff1204e11317cc161240b660e63eed5a72b33"
}
],
"source": {
"advisory": "GHSA-vh64-54px-qgf8",
"discovery": "UNKNOWN"
},
"title": "Goroutine Leak in Abacus SSE Implementation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27421",
"datePublished": "2025-03-03T16:19:23.914Z",
"dateReserved": "2025-02-24T15:51:17.269Z",
"dateUpdated": "2025-03-03T16:41:28.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22891 (GCVE-0-2025-22891)
Vulnerability from cvelistv5 – Published: 2025-02-05 17:31 – Updated: 2025-02-05 18:21- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000139778 | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:21:03.667204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T18:21:12.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"PEM"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "17.1.2",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "16.1.5",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "HotfixBIGIP-15.1.10.6.0.11.6-ENG.iso",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "15.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2025-02-05T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When BIG-IP PEM Control Plane listener Virtual Server is configured with Diameter Endpoint profile, undisclosed traffic can cause the Virtual Server to stop processing new client connections and an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When BIG-IP PEM Control Plane listener Virtual Server is configured with Diameter Endpoint profile, undisclosed traffic can cause the Virtual Server to stop processing new client connections and an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T17:31:01.627Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000139778"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BIG-IP PEM Vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2025-22891",
"datePublished": "2025-02-05T17:31:01.627Z",
"dateReserved": "2025-01-22T00:16:50.290Z",
"dateUpdated": "2025-02-05T18:21:12.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-14969 (GCVE-0-2025-14969)
Vulnerability from cvelistv5 – Published: 2026-01-26 19:36 – Updated: 2026-02-05 14:53- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:1965 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2025-14969 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2423822 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Quarkus 3.27.2 |
cpe:/a:redhat:quarkus:3.27::el8 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform 8 |
cpe:/a:redhat:jboss_enterprise_application_platform:8 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack |
cpe:/a:redhat:jbosseapxp |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14969",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T21:00:00.955979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T21:00:10.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:quarkus:3.27::el8"
],
"defaultStatus": "unaffected",
"packageName": "hibernate-reactive-core",
"product": "Red Hat build of Quarkus 3.27.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "unaffected",
"packageName": "hibernate-reactive-core",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "unaffected",
"packageName": "quarkus-hibernate-reactive-panache",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "unaffected",
"packageName": "hibernate-reactive-core",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "unaffected",
"packageName": "quarkus-hibernate-reactive-panache",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "unaffected",
"packageName": "devspaces/dashboard-rhel9",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "unaffected",
"packageName": "devspaces/devspaces-operator-bundle",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2025-12-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:53:48.212Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:1965",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:1965"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-14969"
},
{
"name": "RHBZ#2423822",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423822"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T10:48:23.311Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Hibernate-reactive-core: hibernate reactive: denial of service due to connection leak on http client disconnect",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-772: Missing Release of Resource after Effective Lifetime"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-14969",
"datePublished": "2026-01-26T19:36:40.424Z",
"dateReserved": "2025-12-19T10:54:33.492Z",
"dateUpdated": "2026-02-05T14:53:48.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3864 (GCVE-0-2025-3864)
Vulnerability from cvelistv5 – Published: 2025-05-28 11:19 – Updated: 2026-01-26 12:13 X_Open Source- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/issues/717 | issue-tracking |
| https://cert.pl/en/posts/2025/05/CVE-2025-3864/ | third-party-advisory |
| https://github.com/benoitc/hackney/commit/8f13dda… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T13:17:43.365984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T13:17:57.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "hackney",
"repo": "https://github.com/benoitc/hackney",
"vendor": "hackney",
"versions": [
{
"lessThan": "1.24.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Majchrowicz, Marcin Wyczechowski, and Pawe\u0142 Zdunek \u2014 members of the AFINE Team"
}
],
"datePublic": "2025-05-27T10:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library.\u003cbr\u003eFix for this issue has been included in\u0026nbsp;1.24.0 release."
}
],
"value": "Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library.\nFix for this issue has been included in\u00a01.24.0 release."
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T12:13:02.411Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/benoitc/hackney/issues/717"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/05/CVE-2025-3864/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/8f13ddac50d1626f8b9a47a08bd599e4efe1773d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Connection pool exhaustion in hackney",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-3864",
"datePublished": "2025-05-28T11:19:15.208Z",
"dateReserved": "2025-04-22T08:43:49.641Z",
"dateUpdated": "2026-01-26T12:13:02.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0036 (GCVE-0-2025-0036)
Vulnerability from cvelistv5 – Published: 2025-06-09 23:57 – Updated: 2025-06-30 14:48- CWE-682 - Incorrect Calculation
- CWE-772 - Missing Release of Resource after Effective Lifetime
- CWE-940 - Improper Verification of Source of a Communication Channel
- CWE-941 - Incorrectly Specified Destination in a Communication Channel
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
| Vendor | Product | Version | |
|---|---|---|---|
| AMD | Versal Adaptive SoC Devices |
Unaffected:
2025.1 release
(custom)
|
|
| AMD | Versal RF Series |
Unaffected:
2025.1 release
|
|
| AMD | Versal AI Edge Series |
Unaffected:
2025.1 release
|
|
| AMD | Versal Prime Series |
Unaffected:
2025.1 release
|
|
| AMD | Versal Premium Series |
Unaffected:
2025.1 release
|
|
| AMD | Versal AI Core Series |
Unaffected:
2025.1 release
|
|
| AMD | Versal HBM Series |
Unaffected:
2025.1 release
|
|
| AMD | Alveo V80 Compute Accelerator |
Unaffected:
2025.1 release
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:19:45.871057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:27:43.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Versal Adaptive SoC Devices",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "2025.1 release",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Versal RF Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "2025.1 release"
}
]
},
{
"defaultStatus": "affected",
"product": "Versal AI Edge Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "2025.1 release"
}
]
},
{
"defaultStatus": "affected",
"product": "Versal Prime Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "2025.1 release"
}
]
},
{
"defaultStatus": "affected",
"product": "Versal Premium Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "2025.1 release"
}
]
},
{
"defaultStatus": "affected",
"product": "Versal AI Core Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "2025.1 release"
}
]
},
{
"defaultStatus": "affected",
"product": "Versal HBM Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "2025.1 release"
}
]
},
{
"defaultStatus": "affected",
"product": "Alveo V80 Compute Accelerator",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "2025.1 release"
}
]
}
],
"datePublic": "2025-06-03T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In AMD Versal Adaptive SoC devices, the incorrect configuration of the SSS during runtime (post-boot) cryptographic operations could cause data to be incorrectly written to and read from invalid locations as well as returning incorrect cryptographic data.\u003cbr\u003e"
}
],
"value": "In AMD Versal Adaptive SoC devices, the incorrect configuration of the SSS during runtime (post-boot) cryptographic operations could cause data to be incorrectly written to and read from invalid locations as well as returning incorrect cryptographic data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-682",
"description": "CWE-682 Incorrect Calculation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-940",
"description": "CWE-940 Improper Verification of Source of a Communication Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-941",
"description": "CWE-941 Incorrectly Specified Destination in a Communication Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T14:48:59.255Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2025-0036",
"datePublished": "2025-06-09T23:57:39.748Z",
"dateReserved": "2024-11-21T16:18:02.918Z",
"dateUpdated": "2025-06-30T14:48:59.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52303 (GCVE-0-2024-52303)
Vulnerability from cvelistv5 – Published: 2024-11-18 20:08 – Updated: 2024-11-19 14:45- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://github.com/aio-libs/aiohttp/security/advi… | x_refsource_CONFIRM |
| https://github.com/aio-libs/aiohttp/commit/bc15db… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:aiohttp:aio-libs:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aio-libs",
"vendor": "aiohttp",
"versions": [
{
"lessThan": "3.10.11",
"status": "affected",
"version": "3.10.6",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-52303",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T14:39:25.327719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T14:45:27.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "aiohttp",
"vendor": "aio-libs",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.10.6, \u003c 3.10.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T20:08:15.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8"
},
{
"name": "https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936"
}
],
"source": {
"advisory": "GHSA-27mf-ghqm-j3j8",
"discovery": "UNKNOWN"
},
"title": "aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52303",
"datePublished": "2024-11-18T20:08:15.387Z",
"dateReserved": "2024-11-06T19:00:26.396Z",
"dateUpdated": "2024-11-19T14:45:27.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49769 (GCVE-0-2024-49769)
Vulnerability from cvelistv5 – Published: 2024-10-29 14:18 – Updated: 2024-11-17 00:11- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://github.com/Pylons/waitress/security/advis… | x_refsource_CONFIRM |
| https://github.com/Pylons/waitress/issues/418 | x_refsource_MISC |
| https://github.com/Pylons/waitress/pull/435 | x_refsource_MISC |
| https://github.com/Pylons/waitress/commit/1ae4e89… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2024… |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pylons:waitress:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "waitress",
"vendor": "pylons",
"versions": [
{
"lessThan": "3.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49769",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T14:56:24.506825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:56:55.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-17T00:11:26.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "waitress",
"vendor": "Pylons",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won\u0027t correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:18:40.951Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6"
},
{
"name": "https://github.com/Pylons/waitress/issues/418",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Pylons/waitress/issues/418"
},
{
"name": "https://github.com/Pylons/waitress/pull/435",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Pylons/waitress/pull/435"
},
{
"name": "https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c"
}
],
"source": {
"advisory": "GHSA-3f84-rpwh-47g6",
"discovery": "UNKNOWN"
},
"title": "Waitress has a denial of service leading to high CPU usage/resource exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49769",
"datePublished": "2024-10-29T14:18:40.951Z",
"dateReserved": "2024-10-18T13:43:23.457Z",
"dateUpdated": "2024-11-17T00:11:26.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.
Mitigation MIT-47
Strategy: Resource Limitation
- Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
- When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
- Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.