CWE:
 

Tytuł
Data
Autor
Med.
SAP Netweaver Enqueue Server Trace Pattern Denial Of Service
17.10.2014
CORE


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2022-09-15
Waiting for details
CVE-2022-3222

Updating...
 

 
Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.

 
2022-06-28
Waiting for details
CVE-2022-31052

Updating...
 

 
Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false.

 
2022-06-27
Waiting for details
CVE-2022-31099

Updating...
 

 
rulex is a new, portable, regular expression language. When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately. This is a security concern for you, if your service parses untrusted rulex expressions (expressions provided by an untrusted user), and your service becomes unavailable when the process running rulex aborts due to a stack overflow. The crash is fixed in version **0.4.3**. Affected users are advised to update to this version. There are no known workarounds for this issue.

 
2022-05-18
Low
CVE-2022-1771

Vendor: VIM
Software: VIM
 

 
Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975.

 
Low
CVE-2022-30974

Vendor: Artifex
Software: MUJS
 

 
compile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413.

 
2022-02-22
Low
CVE-2022-23606

Vendor: Envoyproxy
Software: Envoy
 

 
Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.

 
2022-01-28
Medium
CVE-2022-23889

Vendor: Yzmcms
Software: Yzmcms
 

 
The comment function in YzmCMS v6.3 was discovered as being able to be operated concurrently, allowing attackers to create an unusually large number of comments.

 
2022-01-14
Low
CVE-2021-46195

Vendor: GNU
Software: GCC
 

 
GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.

 
2021-12-07
Medium
CVE-2021-42717

Vendor: Trustwave
Software: Modsecurity
 

 
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

 
2021-11-19
Medium
CVE-2021-39929

Vendor: Wireshark
Software: Wireshark
 

 
Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file

 

 


Copyright 2022, cxsecurity.com

 

Back to Top