Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-770 (不加限制或调节的资源分配) — Vulnerability Class 826

826 vulnerabilities classified as CWE-770 (不加限制或调节的资源分配). AI Chinese analysis included.

CWE-770 represents a critical resource management weakness where software allocates reusable resources, such as memory, file descriptors, or database connections, without enforcing limits or throttling mechanisms. This vulnerability typically arises when applications accept untrusted input or handle high-volume requests, allowing malicious actors to trigger excessive resource consumption. By rapidly requesting numerous resources, attackers can exhaust system capacity, leading to denial-of-service conditions that degrade performance or crash the entire service. To mitigate this risk, developers must implement strict quotas, rate limiting, and connection pooling strategies. Enforcing maximum thresholds for resource allocation ensures that no single user or process can monopolize system assets, thereby maintaining stability and availability even under heavy load or targeted abuse attempts.

MITRE CWE Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource. It can be easy for an attacker to consume many resources by rapidly making many requests or causing larger resources to be used than is needed.
Mitigations (5)
RequirementsClearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
Architecture and DesignLimit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Architecture and DesignDesign throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected …
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Examples (2)
This code allocates a socket and forks each time it receives a new connection.
sock=socket(AF_INET, SOCK_STREAM, 0); while (1) { newsock=accept(sock, ...); printf("A connection has been accepted\n"); pid = fork(); }
Bad · C
In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the da…
int writeDataFromSocketToFile(char *host, int port) { char filename[FILENAME_SIZE]; char buffer[BUFFER_SIZE]; int socket = openSocketConnection(host, port); if (socket < 0) { printf("Unable to open socket connection"); return(FAIL); } if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) { if (openFileToWrite(filename) > 0) { while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){ if (!(writeToFile(buffer) > 0)) break; } } closeFile(); } closeSocket(socket); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2021-43045 Possible DOS vulnerabilities in C# Avro SDK — Apache Avro 7.5 -2022-01-06
CVE-2021-34741 Cisco Email Security Appliance Denial of Service Vulnerability — Cisco Email Security Appliance (ESA) 7.5 High2021-11-04
CVE-2021-1121 NVIDIA vGPU software 安全漏洞 — NVIDIA Virtual GPU Software 5.5 Medium2021-10-29
CVE-2021-40114 Multiple Cisco Products Snort Memory Leak Denial of Service Vulnerability — Cisco Firepower Threat Defense Software 6.8 Medium2021-10-27
CVE-2021-31369 Junos OS: MX Series: Traffic drops will be observed if MS-MPC/MS-PIC resources are consumed by certain traffic causing a partial DoS — Junos OS 5.3 Medium2021-10-19
CVE-2021-34710 Cisco ATA 190 Series Analog Telephone Adapter Software Vulnerabilities — Cisco Analog Telephone Adaptor (ATA) Software 8.8 High2021-10-06
CVE-2021-34735 Cisco ATA 190 Series Analog Telephone Adapter Software Vulnerabilities — Cisco Analog Telephone Adaptor (ATA) Software 8.8 High2021-10-06
CVE-2021-32675 DoS vulnerability in Redis — redis 7.5 High2021-10-04
CVE-2021-33011 JTEKT TOYOPUC-Plus 安全漏洞 — JTEKT Corporation TOYOPUC products 4.3 -2021-09-10
CVE-2021-22919 Citrix ADC and NetScaler Gateway安全漏洞 — Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP 7.5 -2021-08-05
CVE-2021-0285 Junos OS: QFX5000 Series and EX4600 Series: Continuous traffic destined to a device configured with MC-LAG leading to nodes losing their control connection which can impact traffic — Junos OS 7.5 High2021-07-15
CVE-2021-25671 Siemens RWG 安全漏洞 — RWG1.M12 4.3 -2021-07-13
CVE-2020-28400 Siemens SCALANCE S602安全漏洞 — Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller 7.5 High2021-07-13
CVE-2021-3637 Red Hat Keycloak 安全漏洞 — keycloak-model-infinispan 7.5 -2021-07-09
CVE-2021-33541 Phoenix Contact: ILC1x Industrial controllers affected by Denial-of-Service vulnerability — ILC1x 7.5 High2021-06-25
CVE-2020-14336 Red Hat OpenShift Container Platform 安全漏洞 — Openshift 6.5 -2021-06-02
CVE-2021-3527 QEMU 安全漏洞 — QEMU 5.5 -2021-05-26
CVE-2021-21000 WAGO: PFC200 Denial of Service due to the number of connections to the runtime — Series PFC200 Controller 5.3 Medium2021-05-24
CVE-2021-29511 Memory over-allocation in evm crate — evm 6.5 Medium2021-05-12
CVE-2021-27383 Siemens SmartVNC 缓冲区错误漏洞 — SIMATIC HMI Comfort Outdoor Panels V15 7\" & 15\" (incl. SIPLUS variants) 7.5 -2021-05-12
CVE-2021-0224 Junos OS: ANCPD core when hitting maximum-discovery-table-entries limit — Junos OS 6.5 Medium2021-04-22
CVE-2021-25666 SCALANCE W780 和 W740 安全漏洞 — SCALANCE W780 and W740 (IEEE 802.11n) family 4.3 -2021-02-09
CVE-2021-1350 Cisco Umbrella Dashboard Packet Flood Vulnerability — Cisco Umbrella Insights Virtual Appliance 5.3 Medium2021-01-20
CVE-2020-25652 SPICE vdagent 安全漏洞 — spice-vdagent 5.5 -2020-11-26
CVE-2020-25650 SPICE vdagent 安全漏洞 — spice-vdagent 5.5 -2020-11-25
CVE-2020-25648 NSS 安全漏洞 — nss 7.5 -2020-10-20
CVE-2020-8203 lodash 输入验证错误漏洞 — lodash 8.1 -2020-07-15
CVE-2020-10717 QEMU 资源管理错误漏洞 — QEMU 3.3 Low2020-05-04
CVE-2019-11939 Facebook Thrift 安全漏洞 — Facebook Thrift 7.5 -2020-03-18
CVE-2019-3553 Facebook Thrift 安全漏洞 — Facebook Thrift 7.5 -2020-03-10

Vulnerabilities classified as CWE-770 (不加限制或调节的资源分配) represent 826 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.