- What is CWE-400?
- The product does not properly control the allocation and maintenance of a limited resource.
- What CVEs are caused by CWE-400?
- 2,285 recorded CVEs are attributed to CWE-400, including CVE-2020-3566, CVE-2023-38180, CVE-2020-3569. 7 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Is CWE-400 part of the OWASP Top 10?
- CWE-400 maps to OWASP Top Ten 2004: Denial of Service (A9) in the OWASP security taxonomy.
- How do you prevent CWE-400?
- Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
- How is CWE-400 detected?
- Automated Static Analysis: Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value.
- What are the consequences of CWE-400?
- Exploiting CWE-400 can lead to: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), Bypass Protection Mechanism, Other.
- Is CWE-400 actively exploited?
- Yes. 7 CWE-400 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 2,285 recorded CVEs.