CWE-408 - Incorrect Behavior Order: Early Amplification
- Abstraction:Base
- Structure:Simple
- Status:Draft
- Release Date:2006-07-19
- Latest Modification Date:2024-02-29
Weakness Name
Incorrect Behavior Order: Early Amplification
Description
The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.
Common Consequences
Scope: Availability
Impact: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Notes: System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.
Related Weaknesses
Oracle denies breach after hacker claims theft of 6 million data records
Oracle Health breach compromises patient data at US hospitals
Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825)
Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp
CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)
PoisonSeed phishing campaign behind emails with wallet seed phrases
RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalAuthentication Request Identified
MediumCORS Misconfiguration
MediumVulnerable JS Library
InformationalSec-Fetch-User Header Has an Invalid Value
InformationalServer Leaks its Webserver Application via "Server" HTTP Response Header Field