目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-770 不加限制或调节的资源分配 类漏洞列表 826

CWE-770 不加限制或调节的资源分配 类弱点 826 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-770 属于资源管理缺陷,指系统在分配可复用资源时未实施限制或节流措施。攻击者通常通过发送大量请求耗尽系统资源,导致拒绝服务或性能瘫痪。开发者应通过设置并发上限、实施速率限制及监控资源使用率来缓解风险,确保关键资源分配受到严格管控,防止恶意滥用。

MITRE CWE 官方描述
CWE:CWE-770 未限制或未节流地分配资源(Allocation of Resources Without Limits or Throttling) 英文:产品代表某个行为者(actor)分配可重用资源或一组资源时,未对可分配资源的大小或数量施加任何预期的限制。
常见影响 (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource. It can be easy for an attacker to consume many resources by rapidly making many requests or causing larger resources to be used than is needed.
缓解措施 (5)
RequirementsClearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
Architecture and DesignLimit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Architecture and DesignDesign throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected …
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
代码示例 (2)
This code allocates a socket and forks each time it receives a new connection.
sock=socket(AF_INET, SOCK_STREAM, 0); while (1) { newsock=accept(sock, ...); printf("A connection has been accepted\n"); pid = fork(); }
Bad · C
In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the da…
int writeDataFromSocketToFile(char *host, int port) { char filename[FILENAME_SIZE]; char buffer[BUFFER_SIZE]; int socket = openSocketConnection(host, port); if (socket < 0) { printf("Unable to open socket connection"); return(FAIL); } if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) { if (openFileToWrite(filename) > 0) { while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){ if (!(writeToFile(buffer) > 0)) break; } } closeFile(); } closeSocket(socket); }
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2026-42189 Russh键盘交互认证未限制分配导致拒绝服务漏洞 — russh 7.5 High2026-05-08
CVE-2026-42793 Absinthe GraphQL SDL 名称可致 Atom 表耗尽漏洞 — absinthe--2026-05-08
CVE-2026-44499 ZEBRA gossip队列饱和及Syncer Poisoning导致区块发现永久停滞 — zebra--2026-05-08
CVE-2026-44500 ZEBRA入站网络反序列化器分配放大漏洞 — zebra 5.3 Medium2026-05-08
CVE-2026-8124 GPAC sidx_box_read资源分配漏洞 — GPAC 3.3 Low2026-05-08
CVE-2026-7541 GitHub Enterprise Server拒绝服务漏洞 — Enterprise Server--2026-05-07
CVE-2026-41685 Incus 未受限二进制导入磁盘耗尽漏洞 — incus 4.3 Medium2026-05-07
CVE-2026-41648 Incus 未限制YAML元数据解码漏洞 — incus--2026-05-07
CVE-2026-41484 OpenTelemetry.Exporter.OneCollector 拒绝服务漏洞 — opentelemetry-dotnet-contrib 5.3 Medium2026-05-06
CVE-2026-41483 OpenTelemetry Azure 资源模块无限制HTTP响应体读取漏洞 — opentelemetry-dotnet-contrib 5.9 Medium2026-05-06
CVE-2026-41310 OpenTelemetry .NET Zipkin导出器远程端点缓存无限增长导致内存溢出漏洞 — opentelemetry-dotnet 5.3 Medium2026-05-06
CVE-2026-32934 CoreDNS DoQ 未限制 goroutine 增长导致拒绝服务漏洞 — coredns--2026-05-05
CVE-2026-32689 Phoenix Long-poll NDJSON 未限制内存分配漏洞 — phoenix--2026-05-05
CVE-2026-29168 Apache HTTP Server mod_md OCSP响应未授权漏洞 — Apache HTTP Server 7.5AIHighAI2026-05-05
CVE-2026-42437 OpenClaw 2026.4.9至2026.4.10 拒绝服务漏洞 — OpenClaw 7.5 High2026-05-05
CVE-2026-7776 Boundary Workers TLS握手拒绝服务漏洞 — Boundary 7.5 High2026-05-04
CVE-2026-7768 @fastify/accepts-serializer拒绝服务漏洞 — @fastify/accepts-serializer 7.5 High2026-05-04
CVE-2026-42236 n8n 未认证拒绝服务漏洞 — n8n 7.5AIHighAI2026-05-04
CVE-2026-6948 VQLResponse 结果集写入器非受限内存分配漏洞 — Velociraptor 4.9 Medium2026-05-03
CVE-2026-39804 Bandit WebSocket permessage-deflate 输出无限制漏洞 — bandit 7.5AIHighAI2026-05-01
CVE-2026-42786 Bandit WebSocket碎片消息重组无界漏洞 — bandit 7.5AIHighAI2026-05-01
CVE-2026-42788 Bandit HTTP/2 帧大小限制检查漏洞 — bandit 5.9AIMediumAI2026-05-01
CVE-2026-43507 Prosody<=13.0.5拒绝服务漏洞 — Prosody 5.3 Medium2026-05-01
CVE-2025-36122 IBM Db2 自动 stmtheap 下特制查询致拒绝服务漏洞 — Db2 6.5 Medium2026-04-30
CVE-2025-51846 CryptPad 无限WebSocket帧泛洪漏洞 — CryptPad 7.5 High2026-04-30
CVE-2026-42198 pgJDBC 安全漏洞 — pgjdbc 7.5 High2026-04-29
CVE-2026-42420 OpenClaw 安全漏洞 — OpenClaw 4.3 Medium2026-04-28
CVE-2026-41408 OpenClaw 安全漏洞 — OpenClaw 4.3 Medium2026-04-28
CVE-2026-41400 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-28
CVE-2026-41399 OpenClaw 安全漏洞 — OpenClaw 7.5 High2026-04-28

CWE-770(不加限制或调节的资源分配) 是常见的弱点类别,本平台收录该类弱点关联的 826 条 CVE 漏洞。