Total
1293 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-26699 | 1 Redhat | 2 Ansible Automation Platform, Discovery | 2025-03-19 | 5 Medium |
| An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. | ||||
| CVE-2024-54658 | 2 Apple, Redhat | 8 Ipados, Iphone Os, Macos and 5 more | 2025-03-19 | 6.5 Medium |
| The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, Safari 17.4, tvOS 17.4, watchOS 10.4, visionOS 1.1, macOS Sonoma 14.4. Processing web content may lead to a denial-of-service. | ||||
| CVE-2022-28656 | 2 Apport Project, Canonical | 2 Apport, Ubuntu Linux | 2025-03-19 | 5.5 Medium |
| is_closing_session() allows users to consume RAM in the Apport process | ||||
| CVE-2023-2650 | 3 Debian, Openssl, Redhat | 5 Debian Linux, Openssl, Enterprise Linux and 2 more | 2025-03-19 | 6.5 Medium |
| Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. | ||||
| CVE-2024-44083 | 1 Hex-rays | 1 Ida Pro | 2025-03-18 | 7.5 High |
| ida64.dll in Hex-Rays IDA Pro through 8.4 crashes when there is a section that has many jumps linked, and the final jump corresponds to the payload from where the actual entry point will be invoked. NOTE: in many use cases, this is an inconvenience but not a security issue. | ||||
| CVE-2025-29907 | 2025-03-18 | N/A | ||
| jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service. Other affected methods are html and addSvgAsImage. The vulnerability was fixed in jsPDF 3.0.1. | ||||
| CVE-2023-24785 | 1 Peazip Project | 1 Peazip | 2025-03-18 | 5.5 Medium |
| An issue in Giorgio Tani peazip v.9.0.0 allows attackers to cause a denial of service via the End of Archive tag function of the peazip/pea UNPEA feature. | ||||
| CVE-2023-0568 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-03-18 | 7.5 High |
| In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. | ||||
| CVE-2025-21509 | 1 Oracle | 1 Jd Edwards Enterpriseone Tools | 2025-03-17 | 6.5 Medium |
| Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | ||||
| CVE-2025-21508 | 1 Oracle | 1 Jd Edwards Enterpriseone Tools | 2025-03-17 | 6.5 Medium |
| Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | ||||
| CVE-2022-31394 | 1 Hyper | 1 Hyper | 2025-03-17 | 7.5 High |
| Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks. | ||||
| CVE-2025-29786 | 1 Redhat | 4 Enterprise Linux, Openshift Custom Metrics Autoscaler, Openshift Distributed Tracing and 1 more | 2025-03-17 | 7.5 High |
| Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch. | ||||
| CVE-2023-6563 | 1 Redhat | 9 Build Keycloak, Enterprise Linux, Keycloak and 6 more | 2025-03-15 | 7.7 High |
| An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system. | ||||
| CVE-2023-26249 | 1 Nic | 1 Knot Resolver | 2025-03-14 | 7.5 High |
| Knot Resolver before 5.6.0 enables attackers to consume its resources, launching amplification attacks and potentially causing a denial of service. Specifically, a single client query may lead to a hundred TCP connection attempts if a DNS server closes connections without providing a response. | ||||
| CVE-2024-13054 | 1 Gitlab | 1 Gitlab | 2025-03-14 | 6.5 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions. | ||||
| CVE-2025-1257 | 1 Gitlab | 1 Gitlab | 2025-03-14 | 6.5 Medium |
| An issue was discovered in GitLab EE affecting all versions starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. A vulnerability in certain GitLab instances could allow an attacker to cause a denial of service condition by manipulating specific API inputs. | ||||
| CVE-2024-50955 | 1 Xinje | 1 Xd5e-24r-e Firmware | 2025-03-13 | 7.5 High |
| An issue in how XINJE XD5E-24R and XL5E-16T v3.5.3b handles TCP protocol messages allows attackers to cause a Denial of Service (DoS) via a crafted TCP message. | ||||
| CVE-2024-46933 | 2025-03-13 | 7.7 High | ||
| An issue was discovered in Atos Eviden BullSequana XH2140 BMC before C4EM-125: OMF_C4E 101.05.0014. Some BullSequana XH products were shipped without proper hardware programming, leading to a potential denial-of-service with privileged access. | ||||
| CVE-2023-23916 | 6 Debian, Fedoraproject, Haxx and 3 more | 19 Debian Linux, Fedora, Curl and 16 more | 2025-03-12 | 6.5 Medium |
| An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. | ||||
| CVE-2025-20209 | 2025-03-12 | 7.5 High | ||
| A vulnerability in the Internet Key Exchange version 2 (IKEv2) function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to prevent an affected device from processing any control plane UDP packets. This vulnerability is due to improper handling of malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device. A successful exploit could allow the attacker to prevent the affected device from processing any control plane UDP packets, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | ||||