CWE-409 对高度压缩数据的处理不恰当(数据放大攻击)

admin 2022年1月5日20:59:23CWE(弱点枚举)评论18 views1656字阅读5分31秒阅读模式

CWE-409 对高度压缩数据的处理不恰当(数据放大攻击)

Improper Handling of Highly Compressed Data (Data Amplification)

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown


The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.


An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.


  • cwe_Nature: ChildOf cwe_CWE_ID: 405 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 405 cwe_View_ID: 699 cwe_Ordinal: Primary


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Availability ['DoS: Amplification', 'DoS: Crash, Exit, or Restart', 'DoS: Resource Consumption (CPU)', 'DoS: Resource Consumption (Memory)'] System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.


The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

attack XML




标识 说明 链接
CVE-2009-1955 XML bomb in web server module
CVE-2003-1564 Parsing library allows XML bomb


映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Data Amplification
The CERT Oracle Secure Coding Standard for Java (2011) IDS04-J Limit the size of files passed to ZipInputStream


特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2022年1月5日20:59:23
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-409 对高度压缩数据的处理不恰当(数据放大攻击)


匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: