目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-405 不对称的资源消耗(放大攻击) 类漏洞列表 33

CWE-405 不对称的资源消耗(放大攻击) 类弱点 33 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-405属于非对称资源消耗漏洞,指系统未有效限制攻击者以极小代价引发大量资源消耗的情况。攻击者常利用此缺陷,通过发送少量请求触发服务器非线性的资源激增,导致服务拒绝或性能严重下降。开发者应实施严格的速率限制、资源配额管理及输入验证,确保用户行为与系统开销保持合理比例,从而防止资源被恶意放大利用。

MITRE CWE 官方描述
CWE:CWE-405 非对称资源消耗(Amplification) 产品未能正确控制那些对手可以导致产品消耗或产生过量资源的情形,而对手无需投入等效的工作量或证明其授权,即对手的影响是“非对称”的。 这可能导致由于资源消耗的“放大”效应(amplification)而出现性能下降,通常这种放大效应是非线性的。如果产品允许恶意用户或攻击者消耗超出其访问级别所允许的资源,则此情况会进一步恶化。
常见影响 (1)
AvailabilityDoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
缓解措施 (3)
Architecture and DesignAn application must make resources available to a client commensurate with the client's access level.
Architecture and DesignAn application must, at all times, keep track of allocated resources and meter their usage appropriately.
System ConfigurationConsider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
Effectiveness: High
代码示例 (2)
This code listens on a port for DNS requests and sends the result to the requesting address.
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind( (UDP_IP,UDP_PORT) ) while true: data = sock.recvfrom(1024) if not data: break (requestIP, nameToResolve) = parseUDPpacket(data) record = resolveName(nameToResolve) sendResponse(requestIP,record)
Bad · Python
This function prints the contents of a specified file requested by a user.
function printFile($username,$filename){ //read file into string $file = file_get_contents($filename); if ($file && isOwnerOf($username,$filename)){ echo $file; return true; } else{ echo 'You are not authorized to view this file'; } return false; }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-35665 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-10
CVE-2026-35626 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-09
CVE-2026-25611 MongoDB Server 安全漏洞 — MongoDB Server 7.5 High2026-02-10
CVE-2026-24324 SAP BusinessObjects Business Intelligence Platform 安全漏洞 — SAP BusinessObjects Business Intelligence Platform (AdminTools) 6.5 Medium2026-02-10
CVE-2026-0485 SAP BusinessObjects BI Platform 安全漏洞 — SAP BusinessObjects BI Platform 7.5 High2026-02-10
CVE-2026-22775 Svelte 安全漏洞 — devalue 7.5 High2026-01-15
CVE-2026-22774 Svelte 安全漏洞 — devalue 7.5 High2026-01-15
CVE-2025-68480 marshmallow 安全漏洞 — marshmallow 5.3 Medium2025-12-22
CVE-2025-42876 SAP S/4 HANA 安全漏洞 — SAP S/4 HANA Private Cloud (Financials General Ledger) 7.1 High2025-12-09
CVE-2025-42874 SAP NetWeaver 安全漏洞 — SAP NetWeaver (remote service for Xcelsius) 7.9 High2025-12-09
CVE-2025-42873 SAP SAPUI5 安全漏洞 — SAPUI5 framework (Markdown-it component) 5.9 Medium2025-12-09
CVE-2025-66564 Sigstore Timestamp Authority 安全漏洞 — timestamp-authority 7.5 High2025-12-04
CVE-2025-66506 Fulcio 安全漏洞 — fulcio 7.5 High2025-12-04
CVE-2025-49643 Zabbix 安全漏洞 — Zabbix 6.5AIMediumAI2025-12-01
CVE-2025-8677 ISC BIND 9 安全漏洞 — BIND 9 7.5 High2025-10-22
CVE-2025-26516 NetApp StorageGRID 安全漏洞 — StorageGRID 5.3 Medium2025-09-19
CVE-2025-31987 HCL Connections Docs 安全漏洞 — Connections Docs 4.8 Medium2025-08-14
CVE-2025-53633 Chall-Manager 安全漏洞 — chall-manager 9.1AICriticalAI2025-07-10
CVE-2025-30204 jwt-go 安全漏洞 — jwt 7.5 High2025-03-21
CVE-2024-11187 ISC BIND 安全漏洞 — BIND 9 7.5 High2025-01-29
CVE-2025-24356 fastd 安全漏洞 — fastd 7.5 -2025-01-27
CVE-2024-55628 Suricata 安全漏洞 — suricata 7.5 High2025-01-06
CVE-2024-49363 Misskey 安全漏洞 — misskey 7.4 High2024-12-18
CVE-2024-45590 body-parser 安全漏洞 — body-parser 7.5 High2024-09-10
CVE-2024-40705 IBM InfoSphere Information Server 安全漏洞 — InfoSphere Information Server 6.5 Medium2024-08-15
CVE-2024-34702 Botan 安全漏洞 — botan 5.3 Medium2024-07-08
CVE-2024-39743 IBM MQ Operator 安全漏洞 — MQ Operator 5.9 Medium2024-07-08
CVE-2024-34703 Botan 安全漏洞 — botan 7.5 High2024-06-30
CVE-2024-0450 Python 安全漏洞 — CPython 6.2 Medium2024-03-19
CVE-2024-28214 nGrinder 安全漏洞 — nGrinder 7.5AIHighAI2024-03-07

CWE-405(不对称的资源消耗(放大攻击)) 是常见的弱点类别,本平台收录该类弱点关联的 33 条 CVE 漏洞。