Total
177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27434 | 2 Microsoft, Unified-automation | 2 .net, .net Based Opc Ua Client\/server Sdk | 2022-10-07 | 5.0 MEDIUM | 7.5 HIGH |
| Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow. | |||||
| CVE-2021-45105 | 5 Apache, Debian, Netapp and 2 more | 121 Log4j, Debian Linux, Cloud Manager and 118 more | 2022-10-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. | |||||
| CVE-2017-0886 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service. | |||||
| CVE-2021-3530 | 2 Gnu, Netapp | 2 Binutils, Ontap Select Deploy Administration Utility | 2022-09-28 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash. | |||||
| CVE-2022-3222 | 1 Gpac | 1 Gpac | 2022-09-19 | N/A | 5.5 MEDIUM |
| Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV. | |||||
| CVE-2021-42717 | 4 Debian, F5, Oracle and 1 more | 5 Debian Linux, Nginx Modsecurity Waf, Http Server and 2 more | 2022-09-02 | 5.0 MEDIUM | 7.5 HIGH |
| ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. | |||||
| CVE-2022-1771 | 1 Vim | 1 Vim | 2022-08-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975. | |||||
| CVE-2021-20255 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-08-05 | 2.1 LOW | 5.5 MEDIUM |
| A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2022-37315 | 1 Graphql-go Project | 1 Graphql-go | 2022-08-05 | N/A | 7.5 HIGH |
| graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser. | |||||
| CVE-2019-10761 | 1 Vm2 Project | 1 Vm2 | 2022-07-21 | N/A | 8.3 HIGH |
| This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code. | |||||
| CVE-2021-38566 | 1 Foxitsoftware | 2 Pdf Editor, Pdf Reader | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Foxit PDF Reader before 11.0.1 and PDF Editor before 11.0.1. It allows stack consumption during recursive processing of embedded XML nodes. | |||||
| CVE-2022-31099 | 1 Pomsky-lang | 1 Pomsky | 2022-07-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| rulex is a new, portable, regular expression language. When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately. This is a security concern for you, if your service parses untrusted rulex expressions (expressions provided by an untrusted user), and your service becomes unavailable when the process running rulex aborts due to a stack overflow. The crash is fixed in version **0.4.3**. Affected users are advised to update to this version. There are no known workarounds for this issue. | |||||
| CVE-2022-31052 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2022-07-08 | 3.5 LOW | 6.5 MEDIUM |
| Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false. | |||||
| CVE-2020-28242 | 3 Asterisk, Debian, Fedoraproject | 4 Certified Asterisk, Open Source, Debian Linux and 1 more | 2022-06-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur. | |||||
| CVE-2020-6071 | 2 Debian, Videolabs | 2 Debian Linux, Libmicrodns | 2022-06-03 | 5.0 MEDIUM | 7.5 HIGH |
| An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability. | |||||
| CVE-2020-8285 | 8 Apple, Debian, Fedoraproject and 5 more | 29 Mac Os X, Macos, Debian Linux and 26 more | 2022-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. | |||||
| CVE-2020-28196 | 4 Fedoraproject, Mit, Netapp and 1 more | 11 Fedora, Kerberos 5, Active Iq Unified Manager and 8 more | 2022-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit. | |||||
| CVE-2021-22144 | 2 Elastic, Oracle | 2 Elasticsearch, Communications Cloud Native Core Automated Test Suite | 2022-05-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node. | |||||
| CVE-2021-43519 | 2 Fedoraproject, Lua | 2 Fedora, Lua | 2022-05-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file. | |||||
| CVE-2019-12295 | 4 Canonical, Debian, F5 and 1 more | 16 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 13 more | 2022-05-03 | 5.0 MEDIUM | 7.5 HIGH |
| In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion. | |||||