CWE-770: Allocation of Resources Without Limits or Throttling
Code frequently has to work with limited resources, so programmers must be careful to ensure that resources are not consumed too quickly, or too easily. Without use of quotas, resource limits, or other protection mechanisms, it can be easy for an attacker to consume many resources by rapidly making many requests, or causing larger resources to be used than is needed. When too many resources are allocated, or if a single resource is too large, then it can prevent the code from working correctly, possibly leading to a denial of service.
Modes of Introduction
| Phase | Note |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Implementation | |
| Operation | |
| System Configuration |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-400 | Uncontrolled Resource Consumption | Class | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-665 | Improper Initialization | Class | Simple | Draft | |
| CWE-1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities | Incomplete | CWE-400 | Uncontrolled Resource Consumption | Class | Simple | Draft | |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-125 | Flooding | CWE-770 |
| CAPEC-130 | Excessive Allocation | CWE-770 |
| CAPEC-147 | XML Ping of the Death | CWE-770 |
| CAPEC-197 | Exponential Data Expansion | CWE-770 |
| CAPEC-229 | Serialized Data Parameter Blowup | CWE-770 |
| CAPEC-230 | Serialized Data with Nested Payloads | CWE-770 |
| CAPEC-231 | Oversized Serialized Data Payloads | CWE-770 |
| CAPEC-469 | HTTP DoS | CWE-770 |
| CAPEC-482 | TCP Flood | CWE-770 |
| CAPEC-486 | UDP Flood | CWE-770 |
| CAPEC-487 | ICMP Flood | CWE-770 |
| CAPEC-488 | HTTP Flood | CWE-770 |
| CAPEC-489 | SSL Flood | CWE-770 |
| CAPEC-490 | Amplification | CWE-770 |
| CAPEC-491 | Quadratic Data Expansion | CWE-770 |
| CAPEC-493 | SOAP Array Blowup | CWE-770 |
| CAPEC-494 | TCP Fragmentation | CWE-770 |
| CAPEC-495 | UDP Fragmentation | CWE-770 |
| CAPEC-496 | ICMP Fragmentation | CWE-770 |
| CAPEC-528 | XML Flood | CWE-770 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |