目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-400 未加控制的资源消耗(资源穷尽) 类漏洞列表 1398

CWE-400 未加控制的资源消耗(资源穷尽) 类弱点 1398 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-400 指资源消耗不受控漏洞,属于资源管理缺陷。攻击者通常通过发送大量请求或构造复杂查询,耗尽服务器 CPU、内存或带宽,导致服务拒绝。开发者应避免此类问题,需实施严格的速率限制、请求大小校验及资源配额管理,并设置合理的超时机制与异常处理逻辑,确保有限资源在预期范围内被安全分配与维护。

MITRE CWE 官方描述
CWE:CWE-400 不受控的资源消耗 (Uncontrolled Resource Consumption) 英文:该产品未正确控制有限资源的分配和维护。
常见影响 (2)
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
If an attacker can trigger the allocation of the limited resources, but the number or size of the resources is not controlled, then the most common result is denial of service. This would prevent valid users from accessing the product, and it could potentially have an impact on the surrounding envir…
Access Control, OtherBypass Protection Mechanism, Other
In some cases it may be possible to force the product to "fail open" in the event of resource exhaustion. The state of the product -- and possibly the security functionality - may then be compromised.
缓解措施 (4)
Architecture and DesignDesign throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perha…
Architecture and DesignMitigation of resource exhaustion attacks requires that the target system either: recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed. The first of these solutions is an issue in itself though, since it may allow attackers to preven…
Architecture and DesignEnsure that protocols have specific limits of scale placed on them.
ImplementationEnsure that all failures in resource allocation place the system into a safe posture.
代码示例 (2)
The following example demonstrates the weakness.
class Worker implements Executor { ... public void execute(Runnable r) { try { ... } catch (InterruptedException ie) { // postpone response Thread.currentThread().interrupt(); } } public Worker(Channel ch, int nworkers) { ... } protected void activate() { Runnable loop = new Runnable() { public void run() { try { for (;;) { Runnable r = ...; r.run(); } } catch (InterruptedException ie) { ... } } }; new Thread(loop).start(); } }
Bad · Java
This code allocates a socket and forks each time it receives a new connection.
sock=socket(AF_INET, SOCK_STREAM, 0); while (1) { newsock=accept(sock, ...); printf("A connection has been accepted\n"); pid = fork(); }
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2022-20808 Cisco Smart Software Manager On-Prem和Cisco Smart Software Manager 资源管理错误漏洞 — Cisco Smart Software Manager On-Prem 7.7 High2022-07-06
CVE-2022-31129 Moment.js 资源管理错误漏洞 — moment 7.5 High2022-07-06
CVE-2014-3648 simplepush 资源管理错误漏洞 — Jboss Aerogear 7.5 -2022-07-01
CVE-2022-31110 RSSHub 资源管理错误漏洞 — RSSHub 5.3 Medium2022-06-29
CVE-2022-26477 Apache SystemDS 资源管理错误漏洞 — Apache SystemDS 7.5 -2022-06-27
CVE-2022-31016 Red Hat OpenShift 资源管理错误漏洞 — argo-cd 6.5 Medium2022-06-25
CVE-2022-31803 CODESYS Gateway Server 资源管理错误漏洞 — CODESYS Gateway Server V2 5.3 Medium2022-06-24
CVE-2022-27889 Multipass 安全漏洞 — Foundry Multipass 5.3 Medium2022-06-14
CVE-2022-31054 Argo 缓冲区错误漏洞 — argo-events 7.5 High2022-06-13
CVE-2022-29225 Envoy 安全漏洞 — envoy 7.5 High2022-06-09
CVE-2022-1708 CRI-O 资源管理错误漏洞 — CRI-O 6.5 -2022-06-07
CVE-2022-31030 Apache containerd 资源管理错误漏洞 — containerd 5.5 Medium2022-06-06
CVE-2022-31028 MinIO 资源管理错误漏洞 — minio 7.5 High2022-06-03
CVE-2022-22556 Dell EMC PowerStore 资源管理错误漏洞 — PowerStore 3.7 Low2022-06-02
CVE-2022-1982 Mattermost 资源管理错误漏洞 — Mattermost 4.3 Medium2022-06-02
CVE-2022-31018 Lightbend Play Framework 资源管理错误漏洞 — playframework 7.5 High2022-06-02
CVE-2022-27781 curl 安全漏洞 — https://github.com/curl/curl 7.5 -2022-06-01
CVE-2022-1797 Rockwell Automation Logix Controllers 资源管理错误漏洞 — CompactLogix 5380 controllers 6.8 Medium2022-05-31
CVE-2021-3629 Red Hat Undertow 资源管理错误漏洞 — undertow 5.9 -2022-05-24
CVE-2022-29177 Go Ethereum 资源管理错误漏洞 — go-ethereum 5.9 Medium2022-05-20
CVE-2022-28191 NVIDIA vGPU Manager 资源管理错误漏洞 — NVIDIA Virtual GPU Software and NVIDIA Cloud Gaming 5.5 Medium2022-05-17
CVE-2022-29885 Apache Tomcat 资源管理错误漏洞 — Apache Tomcat 7.5 -2022-05-12
CVE-2022-27640 Siemens SIMATIC 资源管理错误漏洞 — SIMATIC CP 442-1 RNA 6.5 -2022-05-10
CVE-2022-24040 多款Siemens产品资源管理错误漏洞 — Desigo DXR2 6.5 -2022-05-10
CVE-2022-24902 TKVideoplayer 资源管理错误漏洞 — tkVideoPlayer 2.9 Low2022-05-05
CVE-2022-29167 hawk 资源管理错误漏洞 — hawk 7.4 High2022-05-05
CVE-2022-29480 F5 BIG-IP 资源管理错误漏洞 — BIG-IP 5.3 Medium2022-05-05
CVE-2022-28701 F5 BIG-IP 资源管理错误漏洞 — BIG-IP 7.5 High2022-05-05
CVE-2022-28691 F5 BIG-IP 资源管理错误漏洞 — BIG-IP 7.5 High2022-05-05
CVE-2022-26372 F5 BIG-IP 资源管理错误漏洞 — BIG-IP 7.5 High2022-05-05

CWE-400(未加控制的资源消耗(资源穷尽)) 是常见的弱点类别,本平台收录该类弱点关联的 1398 条 CVE 漏洞。