#dos

The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: TropOS Devices Series 1400/2400/6400 Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products of Hitachi Energy are affected: TropOS devices series 1400/2400/6400: All versions prior to 8.9.6 3.2 Vulnerability Overview 3.2.1 IMPROPER INPUT VALIDATION CWE-20 The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. CVE-2013-5211 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 3....

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon M241 / M251 / M258 / LMC058 Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to a denial-of-service and a loss of confidentiality and integrity in the controller. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that following Modicon PLCs are affected: Modicon Controllers M241: All versions Modicon Controllers M251: All versions Modicon Controllers M258: All versions Modicon Controllers LMC058: All versions 3.2 Vulnerability Overview 3.2.1 IMPROPER INPUT VALIDATION CWE-20 An improper input validation vulnerability exists that could lead to a denial-of-service and a loss of confidentiality and integrity in the controller when an unauthenticated crafted Modbus packet is sent to the device. CVE-2024-11737 has been assigned to this vulnerability. A CVSS v3 base...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: PowerMonitor 1000 Remote Vulnerabilities: Unprotected Alternate Channel, Heap-based Buffer Overflow, Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform edit operations, create admin users, perform factory reset, execute arbitrary code, or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports the following versions of PowerMonitor 1000 Remote are affected: PM1k 1408-BC3A-485: Versions prior to 4.020 PM1k 1408-BC3A-ENT: Versions prior to 4.020 PM1k 1408-TS3A-485: Versions prior to 4.020 PM1k 1408-TS3A-ENT: Versions prior to 4.020 PM1k 1408-EM3A-485: Versions prior to 4.020 PM1k 1408-EM3A-ENT: Versions prior to 4.020 PM1k 1408-TR1A-485: Versions prior to 4.020 PM1k 1408-TR2A-485: Versions prior to 4.020 PM1k 1408-EM1A-485: Vers...

The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication by setting the 'content' POST parameter. This enables an attacker to inject arbitrary configuration overrides, potentially leading to unauthorized changes and compromising system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties file. This file contains critical configuration overrides such as enabling overrides (Override.enabled=true) and setting specific properties like debug.level=1. The runjava.VARIANT* script then sources this file during execution, applying the overrides when the system reboots or the application restarts. This allows attackers to manipulate critical system settings, potentially causing performance degradation, introducing security risks, or resulting in a denial of service scenario.

The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication by setting the 'content' POST parameter. This enables an attacker to inject arbitrary configuration overrides, potentially leading to unauthorized changes and compromising system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties file. This file contains critical configuration overrides such as enabling overrides (Override.enabled=true) and setting specific properties like debug.level=1. The runjava.VARIANT* script then sources this file during execution, applying the overrides when the system reboots or the application restarts. This allows attackers to manipulate critical system settings, potentially causing performance degradation, introducing security risks, or resulting in a denial of service scenario.

An authenticated access vulnerability in the aspectMemory.php script of ABB Cylon Aspect BMS/BAS controllers allows attackers to set arbitrary values for Java heap memory parameters (HEAPMIN and HEAPMAX). This configuration is written to /usr/local/aam/etc/javamem. The absence of input validation can lead to system performance degradation, Denial-of-Service (DoS) conditions, and crashes of critical Java applications.

An authenticated access vulnerability in the aspectMemory.php script of ABB Cylon Aspect BMS/BAS controllers allows attackers to set arbitrary values for Java heap memory parameters (HEAPMIN and HEAPMAX). This configuration is written to /usr/local/aam/etc/javamem. The absence of input validation can lead to system performance degradation, Denial-of-Service (DoS) conditions, and crashes of critical Java applications.