ClassIncomplete

CWE-410Insufficient Resource Pool

Category: logic

Description

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. Frequently the consequence is a "flood" of connection or sessions.

Common consequences· 1

  • Availability / Integrity / Other — DoS: Crash, Exit, or Restart, Other
    Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.

Potential mitigations· 5

  • [Architecture and Design]Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
  • [Architecture and Design]Consider implementing a velocity check mechanism which would detect abusive behavior.
  • [Operation]Consider load balancing as an option to handle heavy loads.
  • [Implementation]Make sure that resource handles are properly closed when no longer needed.
  • [Architecture and Design]Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).

References

  1. https://cwe.mitre.org/data/definitions/410.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Data Resource Access without Use of Connection Pooling
CWE
Improper Restriction of Excessive Authentication Attempts
CWE
Improper Resource Shutdown or Release
CWE
Improper Resource Locking
CWE
Asymmetric Resource Consumption (Amplification)
CWE
Incorrect Synchronization
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.