Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-410 (不充分的资源池) — Vulnerability Class 18

18 vulnerabilities classified as CWE-410 (不充分的资源池). AI Chinese analysis included.

CWE-410 represents a resource exhaustion weakness where a system’s capacity to manage concurrent requests is insufficient for peak demand. This flaw allows attackers to trigger denial-of-service conditions by flooding the application with a high volume of connection or session requests, effectively monopolizing limited resources and preventing legitimate users from accessing services. Exploitation typically involves automated scripts generating rapid, repetitive requests that overwhelm the resource pool before the system can process or discard them. To mitigate this risk, developers must implement robust resource management strategies, including strict rate limiting, connection pooling, and timeout mechanisms. Additionally, employing load balancing and scaling infrastructure ensures that the system can handle traffic spikes gracefully, maintaining availability even under adversarial pressure or unexpected surges in legitimate usage.

MITRE CWE Description
The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. Frequently the consequence is a "flood" of connection or sessions.
Common Consequences (1)
Availability, Integrity, OtherDoS: Crash, Exit, or Restart, Other
Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.
Mitigations (5)
Architecture and DesignDo not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
Architecture and DesignConsider implementing a velocity check mechanism which would detect abusive behavior.
OperationConsider load balancing as an option to handle heavy loads.
ImplementationMake sure that resource handles are properly closed when no longer needed.
Architecture and DesignIdentify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).
Examples (1)
In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool.
<Resource name="jdbc/exampledb" auth="Container" type="javax.sql.DataSource" removeAbandoned="true" removeAbandonedTimeout="30" maxActive="5" maxIdle="5" maxWait="60000" username="testuser" password="testpass" driverClassName="com.mysql.jdbc.Driver" url="jdbc:mysql://localhost/exampledb"/>
Bad · XML
CVE IDTitleCVSSSeverityPublished
CVE-2025-2134 IBM Jazz Reporting Service Denial of Service — Jazz Reporting Service 3.5 Low2026-02-04
CVE-2025-12986 Denial of Service Vulnerability in Silicon Labs WF200 and WGM160P Devices — Gecko SDK 7.5AIHighAI2025-12-04
CVE-2025-41653 Weidmueller: Denial-of-Service Vulnerability in the web server functionality of Industrial Ethernet Switches — IE-SW-VL05M-5TX 7.5 High2025-05-27
CVE-2025-27479 Kerberos Key Distribution Proxy Service Denial of Service Vulnerability — Windows Server 2012 7.5 High2025-04-08
CVE-2025-27694 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 5.3 Medium2025-04-02
CVE-2025-0453 Denial of Service through Batched Queries in GraphQL in mlflow/mlflow — mlflow/mlflow 7.5 -2025-03-20
CVE-2024-7392 ChargePoint Home Flex Bluetooth Low Energy Denial-of-Service Vulnerability — Home Flex 6.5 -2024-11-22
CVE-2023-7033 Mitsubishi Electric MELSEC iQ-F series 安全漏洞 — MELSEC iQ-R series CPU module R00CPU 5.3 Medium2024-02-27
CVE-2023-38505 DietPi-Dashboard Insufficient TLS Handshake Pool — DietPi-Dashboard 7.5 High2023-07-27
CVE-2022-40224 Moxa SDS-3008 安全漏洞 — SDS-3008 Series Industrial Ethernet Switch 7.5 -2023-02-07
CVE-2022-46679 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.5 Medium2023-02-01
CVE-2022-20937 Cisco Identity Services Engine 资源管理错误漏洞 — Cisco Identity Services Engine Software 5.3 Medium2022-11-03
CVE-2022-2048 Eclipse Jetty 安全漏洞 — Eclipse Jetty 7.5 High2022-07-07
CVE-2022-22191 Junos OS: EX4300: PFE Denial of Service (DoS) upon receipt of a flood of specific ARP traffic — Junos OS 6.5 Medium2022-04-14
CVE-2021-1615 Cisco Embedded Wireless Controller Software for Catalyst Access Points Denial of Service Vulnerability — Cisco IOS XE Software 8.6 High2021-09-23
CVE-2019-13921 Siemens SIMATIC WinAC RTX(F)2010 资源管理错误漏洞 — SIMATIC WinAC RTX (F) 2010 7.5 -2019-10-10
CVE-2019-0056 Junos OS: MX Series: An MPC10 Denial of Service (DoS) due to OSPF states transitioning to Down, causes traffic to stop forwarding through the device. — Junos OS 7.5 High2019-10-09
CVE-2018-13815 Siemens SIMATIC S7-1200和SIMATIC S7-1500 安全漏洞 — SIMATIC S7-1200, SIMATIC S7-1500 7.5 -2018-12-13

Vulnerabilities classified as CWE-410 (不充分的资源池) represent 18 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.