CWE-410: Insufficient Resource Pool

Description

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Frequently the consequence is a "flood" of connection or sessions.

Example Vulnerable Codes

Example - 1

In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool.


<Resource name="jdbc/exampledb"auth="Container"type="javax.sql.DataSource"removeAbandoned="true"removeAbandonedTimeout="30"maxActive="5"maxIdle="5"maxWait="60000"username="testuser"password="testpass"driverClassName="com.mysql.jdbc.Driver"url="jdbc:mysql://localhost/exampledb"/>

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-400: Uncontrolled Resource Consumption
Go to
CWE-412: Unrestricted Externally Accessible Lock
Go to
CWE-664: Improper Control of a Resource Through its Lifetime
Go to

Visit http://cwe.mitre.org/ for more details.