Live Active security incident? Get immediate response
CWE Reference

CWE-410: Insufficient Resource Pool

Official CWE-410 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.

Release 4.20weaknessIncomplete
Search CWE CWE Dictionary

Glexia's Take

CWE-410: Insufficient Resource Pool

Insufficient Resource Pool represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Availability,Integrity,Other: DoS: Crash, Exit, or Restart,Other: Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.

Developer Pattern

CWE-410 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Confidence

high confidence from CWE-410, 4.20.

Official CWE Definition

CWE-410: Insufficient Resource Pool

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

Frequently the consequence is a "flood" of connection or sessions.

Type
weakness
Abstraction
Class
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool.

Remediation

  • Architecture and Design: Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
  • Architecture and Design: Consider implementing a velocity check mechanism which would detect abusive behavior.
  • Operation: Consider load balancing as an option to handle heavy loads.
  • Implementation: Make sure that resource handles are properly closed when no longer needed.
  • Architecture and Design: Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.