Total
1255 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-23524 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2023-03-08 | N/A | 7.5 HIGH |
A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, tvOS 16.3.2, watchOS 9.3.1. Processing a maliciously crafted certificate may lead to a denial-of-service. | |||||
CVE-2023-23009 | 2 Debian, Libreswan | 2 Debian Linux, Libreswan | 2023-03-07 | N/A | 6.5 MEDIUM |
Libreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector length. | |||||
CVE-2023-25816 | 1 Nextcloud | 1 Nextcloud Server | 2023-03-07 | N/A | 6.5 MEDIUM |
Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available. | |||||
CVE-2023-26104 | 1 Lite-web-server Project | 1 Lite-web-server | 2023-03-06 | N/A | 7.5 HIGH |
All versions of the package lite-web-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse. | |||||
CVE-2023-23296 | 1 Korenix | 29 Jetwave 2111, Jetwave 2111 Firmware, Jetwave 2111l and 26 more | 2023-03-06 | N/A | 6.5 MEDIUM |
Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to Denial of Service via /goform/formDefault. | |||||
CVE-2022-27812 | 1 Stormshield | 1 Network Security | 2023-03-03 | N/A | 7.5 HIGH |
Flooding SNS firewall versions 3.7.0 to 3.7.29, 3.11.0 to 3.11.17, 4.2.0 to 4.2.10, and 4.3.0 to 4.3.6 with specific forged traffic, can lead to SNS DoS. | |||||
CVE-2020-15565 | 4 Debian, Fedoraproject, Opensuse and 1 more | 4 Debian Linux, Fedora, Leap and 1 more | 2023-03-03 | 6.1 MEDIUM | 8.8 HIGH |
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible. | |||||
CVE-2022-21222 | 1 Css-what Project | 1 Css-what | 2023-03-03 | N/A | 7.5 HIGH |
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function. | |||||
CVE-2022-3204 | 2 Fedoraproject, Nlnetlabs | 2 Fedora, Unbound | 2023-03-02 | N/A | 7.5 HIGH |
A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records. | |||||
CVE-2019-9674 | 3 Canonical, Netapp, Python | 3 Ubuntu Linux, Active Iq Unified Manager, Python | 2023-03-01 | 5.0 MEDIUM | 7.5 HIGH |
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. | |||||
CVE-2022-40150 | 2 Debian, Jettison Project | 2 Debian Linux, Jettison | 2023-03-01 | N/A | 7.5 HIGH |
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack. | |||||
CVE-2022-45873 | 2 Fedoraproject, Systemd Project | 2 Fedora, Systemd | 2023-03-01 | N/A | 5.5 MEDIUM |
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file. | |||||
CVE-2021-33623 | 3 Debian, Netapp, Trim-newlines Project | 3 Debian Linux, E-series Performance Analyzer, Trim-newlines | 2023-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. | |||||
CVE-2021-3759 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2023-02-28 | N/A | 5.5 MEDIUM |
A memory overflow vulnerability was found in the Linux kernel’s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability. | |||||
CVE-2022-22969 | 2 Oracle, Pivotal | 2 Communications Design Studio, Spring Security Oauth | 2023-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only. | |||||
CVE-2020-14152 | 2 Debian, Ijg | 2 Debian Linux, Libjpeg | 2023-02-27 | 5.8 MEDIUM | 7.1 HIGH |
In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption. | |||||
CVE-2023-0662 | 1 Php | 1 Php | 2023-02-24 | N/A | 7.5 HIGH |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. | |||||
CVE-2021-37136 | 5 Debian, Netapp, Netty and 2 more | 19 Debian Linux, Oncommand Insight, Netty and 16 more | 2023-02-24 | 5.0 MEDIUM | 7.5 HIGH |
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack | |||||
CVE-2021-37137 | 5 Debian, Netapp, Netty and 2 more | 12 Debian Linux, Oncommand Insight, Netty and 9 more | 2023-02-24 | 5.0 MEDIUM | 7.5 HIGH |
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. | |||||
CVE-2022-24839 | 2 Nekohtml Project, Oracle | 2 Nekohtml, Weblogic Server | 2023-02-23 | 5.0 MEDIUM | 7.5 HIGH |
org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability. |