Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-799 (交互频率的控制不恰当) — Vulnerability Class 44

44 vulnerabilities classified as CWE-799 (交互频率的控制不恰当). AI Chinese analysis included.

CWE-799 represents a critical input validation weakness where software fails to restrict the rate or volume of interactions with external actors, whether human users or automated bots. Attackers typically exploit this vulnerability by flooding the system with rapid-fire requests, aiming to exhaust server resources and trigger a denial-of-service condition, or to bypass logical safeguards like rate-limited login attempts. To mitigate this risk, developers must implement robust rate-limiting mechanisms and throttling controls at both the application and network layers. By enforcing strict thresholds on request frequency, systems can effectively distinguish between legitimate traffic and malicious abuse, ensuring service availability and preserving the integrity of business logic against automated exploitation attempts.

MITRE CWE Description
The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day.
Common Consequences (1)
Availability, Access Control, OtherDoS: Resource Consumption (Other), Bypass Protection Mechanism, Other
Examples (1)
In the following code a username and password is read from a socket and an attempt is made to authenticate the username and password. The code will continuously checked the socket for a username and password until it has been authenticated.
char username[USERNAME_SIZE]; char password[PASSWORD_SIZE]; while (isValidUser == 0) { if (getNextMessage(socket, username, USERNAME_SIZE) > 0) { if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) { isValidUser = AuthenticateUser(username, password); } } } return(SUCCESS);
Bad · C
int count = 0; while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) { if (getNextMessage(socket, username, USERNAME_SIZE) > 0) { if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) { isValidUser = AuthenticateUser(username, password); } } count++; } if (isValidUser) { return(SUCCESS); } else { return(FAIL); }
Good · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-34695 WOWS Karma vulnerable to a post submission bounce/timing attack — WOWS-Karma 6.3 Medium2024-05-10
CVE-2023-27279 IBM Aspera Faspex denial of service — Aspera Faspex 6.5 Medium2024-04-19
CVE-2023-35621 Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability — Dynamics 365 for Finance and Operations 7.5 High2023-12-12
CVE-2023-38068 JetBrains YouTrack 安全漏洞 — YouTrack 6.5 Medium2023-07-12
CVE-2023-2758 Contec CONPROSYS HMI System (CHS) v3.5.2 Denial of Service — CONPROSYS HMI System 3.7 Low2023-05-31
CVE-2021-37910 ASUS GT-AXE11000, RT-AX3000, RT-AX55, RT-AX58U, TUF-AX3000 - Improper Authentication — GT-AXE11000 3.7 Low2021-11-12
CVE-2021-41177 Rate-limits not working on instances without configured memory cache backend — security-advisories 8.1 High2021-10-25
CVE-2021-37191 Siemens SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Server 4.3 -2021-09-14
CVE-2021-32741 Lack of ratelimit on public share link mount endpoint — security-advisories 5.3 Medium2021-07-12
CVE-2021-32705 Lack of ratelimit on public DAV endpoint — security-advisories 5.3 Medium2021-07-12
CVE-2021-32703 Lack of ratelimit on shareinfo endpoint — security-advisories 5.3 Medium2021-07-12
CVE-2021-32678 Ratelimit not applied on OCS API responses — security-advisories 3.7 Low2021-07-12
CVE-2020-5141 SonicWall SonicOS 安全漏洞 — SonicOS 6.5 -2020-10-12
CVE-2016-6543 A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data — Easy 7.5 -2018-07-13

Vulnerabilities classified as CWE-799 (交互频率的控制不恰当) represent 44 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.