#dos

**According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of availability (A:H)? What does that mean for this vulnerability?** An attacker could impact availability of the service resulting in Denial of Service (DoS).

**According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?** An authenticated attacker could exploit this vulnerability with LAN access.

**According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?** An unauthenticated attacker with LAN access could exploit this vulnerability.

**According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability?** This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

**According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of availability (A:H)? What does that mean for this vulnerability?** An attacker could impact availability of the service resulting in Denial of Service (DoS).

**According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of availability (A:H)? What does that mean for this vulnerability?** An attacker could impact availability of the service resulting in Denial of Service (DoS).

**.NET 6.0 was added to the Security Updates table on October 8, 2024 because it is also affected by this vulnerability. Why are the Download and Article links missing for .NET 6.0?** HTTP/3 support was only experimental in .NET 6.0. If you are using .NET 6 you must update your application to .NET 8 to be protected. Experimental features will not be patched if a later runtime includes the feature as non-experimental..

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected `0\r\n` termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.

### Summary A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. ### Details Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard:   By modifying the data sent and duplicating many times the fields a DoS attack is possible. ### PoC The goal is to create a payload that generates a body like this, where the 'max' field is duplicated many times, each with the 'id' field duplicated many times inside it. `{'query': 'query { query_4f4722ea: t...