Total
1051 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39877 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 7.7 HIGH |
| A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. | |||||
| CVE-2021-39229 | 1 Nuxref | 1 Apprise | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a denial of service attack on an inefficient regular expression. The vulnerable regular expression is [here](https://github.com/caronc/apprise/blob/0007eade20934ddef0aba38b8f1aad980cfff253/apprise/plugins/NotifyIFTTT.py#L356-L359). The problem has been patched in release version 0.9.5.1. Users who are unable to upgrade are advised to remove `apprise/plugins/NotifyIFTTT.py` to eliminate the service. | |||||
| CVE-2021-38181 | 1 Sap | 2 Netweaver Abap, Netweaver As Abap | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2021-37137 | 5 Debian, Netapp, Netty and 2 more | 12 Debian Linux, Oncommand Insight, Netty and 9 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. | |||||
| CVE-2021-37136 | 5 Debian, Netapp, Netty and 2 more | 19 Debian Linux, Oncommand Insight, Netty and 16 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack | |||||
| CVE-2021-37061 | 1 Huawei | 1 Harmonyos | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Uncontrolled Resource Consumption vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to Screen projection application denial of service. | |||||
| CVE-2021-36716 | 1 Segment | 1 Is-email | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package before 1.0.1 for Node.js. An attacker that is able to provide crafted input to the isEmail(input) function may cause an application to consume an excessive amount of CPU. | |||||
| CVE-2021-34549 | 1 Torproject | 1 Tor | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005. Hashing is mishandled for certain retrieval of circuit data. Consequently. an attacker can trigger the use of an attacker-chosen circuit ID to cause algorithm inefficiency. | |||||
| CVE-2021-33824 | 1 Moxa | 2 Mgate Mb3180, Mgate Mb3180 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on MOXA Mgate MB3180 Version 2.1 Build 18113012. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service. | |||||
| CVE-2021-33822 | 1 Sing4g | 2 4gee Router Hh70vb, 4gee Router Hh70vb Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service. | |||||
| CVE-2021-33818 | 1 Ui | 2 Camera G3 Flex, Camera G3 Flex Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service. | |||||
| CVE-2021-33623 | 3 Debian, Netapp, Trim-newlines Project | 3 Debian Linux, E-series Performance Analyzer, Trim-newlines | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. | |||||
| CVE-2021-33580 | 1 Apache | 1 Roller | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2. | |||||
| CVE-2021-33503 | 3 Fedoraproject, Oracle, Python | 5 Fedora, Enterprise Manager Ops Center, Instantis Enterprisetrack and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. | |||||
| CVE-2021-32918 | 4 Debian, Fedoraproject, Lua and 1 more | 4 Debian Linux, Fedora, Lua and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. | |||||
| CVE-2021-32839 | 1 Sqlparse Project | 1 Sqlparse | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2. | |||||
| CVE-2021-32838 | 2 Fedoraproject, Flask-restx Project | 2 Fedora, Flask-restx | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS (Regular Expression Denial of Service) in email_regex. This is fixed in version 0.5.1. | |||||
| CVE-2021-32740 | 2 Addressable Project, Fedoraproject | 2 Addressable, Fedora | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking. | |||||
| CVE-2021-32723 | 2 Oracle, Prismjs | 2 Application Express, Prism | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text. | |||||
| CVE-2021-31409 | 1 Vaadin | 1 Vaadin | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. | |||||