Description: The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Name: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Description: The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Tool Description: Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.
Due Date: 2022-09-29
A medium severity vulnerability has been discovered in your project.
Project Name: test
Scanner Name: dependabot
Cwe ID: 400
Cwe Name: Uncontrolled Resource Consumption (Resource Exhaustion)
Cwe Link: https://cwe.mitre.org/data/definitions/400.html
File: go.sum
Packages:
References:
Training(Secure Code Warrior):
Name: Uncontrolled Resource Consumption
Description: The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/dos/routing/go/vanilla
Videos:
Name: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Description: The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/xxe/generic/go/vanilla
Videos:
Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection
Videos:
Tool Description: Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.
Kondukto Link: http://80.kondukto.local/projects/6331ad74ef14f4953e572991/vulns/appsec?page=1&perPage=15&id=in:63359eddde3f4040f62a1569