CVEbaza.plSłownik CWECWE-408
Common Weakness Enumeration

CWE-408

Incorrect Behavior Order: Early Amplification

Kategoria: BaseCVE: 6
Opis

Produkt pozwala jednostce na wykonanie legalnej, ale kosztownej operacji przed uwierzytelnieniem lub autoryzacją. Może to prowadzić do wyczerpania zasobów przez nieuwierzytelnione żądania.

Description (EN)

The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.

Podatności CVE z CWE-408 (6)
8.7
CVSS
HIGH
CVE-2026-41405

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks.

pub. 2026-04-28
7.5
CVSS
HIGH
CVE-2022-2576

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

pub. 2022-07-29
7.5
CVSS
HIGH
CVE-2020-1657

On SRX Series devices, a vulnerability in the key-management-daemon (kmd) daemon of Juniper Networks Junos OS allows an attacker to spoof packets targeted to IPSec peers before a security association (SA) is established thereby causing a failure to set up the IPSec channel. Sustained receipt of these spoofed packets can cause a sustained Denial of Service (DoS) condition. This issue affects IPv4 and IPv6 implementations. This issue affects Juniper Networks Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D90; 15.1X49 versions prior to 15.1X49-D190; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S9; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3; 18.4 versions prior to 18.4R1-S6, 18.4R2-S3, 18.4R3; 19.1 versions prior to 19.1R1-S4, 19.1R2. This issue does not affect 12.3 or 15.1 releases which are non-SRX Series releases.

pub. 2020-10-16
6.9
CVSS
MEDIUM
CVE-2026-41374

OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthenticated attackers to consume resources. Remote attackers can trigger audio preflight processing without member allowlist validation to cause resource exhaustion.

pub. 2026-04-28
6.9
CVSS
MEDIUM
CVE-2026-41331

OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by initiating audio preflight operations before authorization checks are applied.

pub. 2026-04-21
5.3
CVSS
MEDIUM
CVE-2026-3592

BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

pub. 2026-05-20
Informacje
ID: CWE-408
Typ: Base
Podatności: 6
MITRE CWE ↗
← Słownik CWE