CWE-410: Insufficient Resource Pool
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
扩展描述
Frequently the consequence is a "flood" of connection or sessions.
常见后果
影响范围: Availability Integrity Other
技术影响: DoS: Crash, Exit, or Restart Other
说明: Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.
潜在缓解措施
阶段: Architecture and Design
描述: Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
阶段: Architecture and Design
描述: Consider implementing a velocity check mechanism which would detect abusive behavior.
阶段: Operation
描述: Consider load balancing as an option to handle heavy loads.
阶段: Implementation
描述: Make sure that resource handles are properly closed when no longer needed.
阶段: Architecture and Design
描述: Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).
观察示例
参考: CVE-1999-1363
Large number of locks on file exhausts the pool and causes crash.
参考: CVE-2001-1340
Product supports only one connection and does not disconnect a user who does not provide credentials.
参考: CVE-2002-0406
Large number of connections without providing credentials allows connection exhaustion.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Insufficient Resource Pool | - |
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE More Specific |
| The CERT Oracle Secure Coding Standard for Java (2011) | TPS00-J | Use thread pools to enable graceful degradation of service during traffic bursts | - |