cve/DoS_result/analysis_result_11-20.log

cve: ./data/2011/1xxx/CVE-2011-1022.json
The cgre_receive_netlink_msg function in daemon/cgrulesengd.c in cgrulesengd in the Control Group Configuration Library (aka libcgroup or libcg) before 0.37.1 does not verify that netlink messages originated in the kernel, which allows local users to bypass intended resource restrictions via a crafted message.

analysis: {"Conatiner":"[使用libcgroup或libcg的容器镜像]","CVE_Reason"："[容器内的用户可以通过构造的消息绕过资源限制，导致宿主机CPU、内存等资源被大量占用]","CVE_Consequence":"[该CVE允许本地用户绕过预期的资源限制，可能导致宿主机资源耗尽，严重程度为高]"}

cve: ./data/2011/2xxx/CVE-2011-2189.json
net/core/net_namespace.c in the Linux kernel 2.6.32 and earlier does not properly handle a high rate of creation and cleanup of network namespaces, which makes it easier for remote attackers to cause a denial of service (memory consumption) via requests to a daemon that requires a separate namespace per connection, as demonstrated by vsftpd.

analysis: {"Container":"[使用Linux内核2.6.32及更早版本的容器镜像]","CVE_Reason":"[容器中的网络命名空间创建和清理速率过高，导致宿主机内存资源被大量消耗]","CVE_Consequence":"[该CVE可能导致宿主机内存耗尽，引发拒绝服务攻击，严重程度较高]"}

cve: ./data/2012/1xxx/CVE-2012-1146.json
The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in the Linux kernel before 3.2.10 does not properly handle multiple events that are attached to the same eventfd, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by registering memory threshold events.

analysis: {"Conatiner":"[使用受影响Linux内核的容器镜像]","CVE_Reason"："[容器内的进程可能通过注册内存阈值事件，导致宿主机CPU资源被大量占用以处理无效事件]","CVE_Consequence":"[该CVE可能导致宿主机系统崩溃或服务中断，严重程度为高]"}

cve: ./data/2012/2xxx/CVE-2012-2127.json
fs/proc/root.c in the procfs implementation in the Linux kernel before 3.2 does not properly interact with CLONE_NEWPID clone system calls, which allows remote attackers to cause a denial of service (reference leak and memory consumption) by making many connections to a daemon that uses PID namespaces to isolate clients, as demonstrated by vsftpd.

analysis: {"Conatiner":"[使用PID命名空间隔离客户端的容器镜像，例如包含vsftpd的服务容器]","CVE_Reason"："[容器内的进程可以通过不当的PID命名空间交互导致宿主机内存资源被大量消耗]"，“CVE_Consequence”：“[该CVE会导致内存泄漏，严重程度较高，可能引发宿主机内存耗尽，进而导致系统不稳定或崩溃]”}

cve: ./data/2013/4xxx/CVE-2013-4205.json
Memory leak in the unshare_userns function in kernel/user_namespace.c in the Linux kernel before 3.10.6 allows local users to cause a denial of service (memory consumption) via an invalid CLONE_NEWUSER unshare call.

analysis: {"Conatiner":"[使用受影响Linux内核的容器镜像]","CVE_Reason"："[容器内的进程可以通过无效的CLONE_NEWUSER调用导致宿主机内存资源泄漏被大量占用]"，"CVE_Consequence":"[该CVE会导致宿主机内存耗尽，造成拒绝服务，严重程度为高]"}

cve: ./data/2014/1xxx/CVE-2014-1425.json
cmanager 0.32 does not properly enforce nesting when modifying cgroup properties, which allows local users to set cgroup values for all cgroups via unspecified vectors.

analysis: {"Conatiner":"cmanager 0.32","CVE_Reason":"容器的运行可能导致宿主机CPU或内存资源被大量占用，因为cgroup属性未正确强制执行嵌套规则，允许本地用户设置所有cgroup的值。","CVE_Consequence":"该CVE可能允许攻击者通过操纵cgroup配置，绕过资源限制，导致宿主机资源耗尽，严重程度较高。"}

cve: ./data/2014/5xxx/CVE-2014-5207.json
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.

analysis: {"Conatiner":"[任何使用受影响Linux内核的容器镜像]","CVE_Reason"："[容器内的用户可以通过特定的挂载操作，导致宿主机文件系统频繁更新，从而消耗大量CPU和硬盘资源]","CVE_Consequence":"[该CVE可能导致宿主机文件系统过度更新，引发性能下降或拒绝服务，严重程度较高]"}

cve: ./data/2014/7xxx/CVE-2014-7970.json
The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.

analysis: {"Conatiner":"[任何使用受影响Linux内核的容器镜像]","CVE_Reason"："[容器内的恶意进程可能通过pivot_root系统调用创建挂载循环，导致宿主机CPU资源被大量占用]","CVE_Consequence":"[该CVE可能导致宿主机陷入无限递归的挂载操作，最终耗尽CPU资源，造成拒绝服务，严重程度高]"}

cve: ./data/2014/8xxx/CVE-2014-8171.json
The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup.

analysis: {"Conatiner":"[任何使用受影响Linux内核的容器]","CVE_Reason"："[容器内的进程可以在内存受限的cgroup中不断创建新进程，导致宿主机内存资源被大量消耗并最终死锁]","CVE_Consequence":"[该CVE可能导致宿主机内存资源耗尽，引发系统死锁，严重程度高]"}

cve: ./data/2015/3xxx/CVE-2015-3629.json
Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.

analysis: {"Container":"Docker Engine（使用Libcontainer 1.6.0）","CVE_Reason":"容器内的用户可通过符号链接攻击逃逸到宿主机，并写入宿主机任意文件，可能间接导致资源消耗增加","CVE_Consequence":"该CVE允许本地用户通过容器逃逸漏洞破坏宿主机文件系统，可能导致严重安全问题，包括宿主机资源耗尽"}

cve: ./data/2015/3xxx/CVE-2015-3631.json
Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc.

analysis: {"Conatiner":"Docker Engine","CVE_Reason":"容器内的用户可以通过覆盖 /proc 中的文件设置任意 Linux 安全模块（LSM）和 docker_t 策略，可能导致对宿主机资源的非预期控制或滥用，例如消耗大量 CPU 或内存资源","CVE_Consequence":"此 CVE 可能导致本地用户绕过安全限制，滥用宿主机资源，严重程度较高"}

cve: ./data/2016/6xxx/CVE-2016-6213.json
fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts.

analysis: {"Container":"[任何使用受影响Linux内核的容器镜像]","CVE_Reason":"[容器内的应用程序通过MS_BIND挂载调用，可能导致宿主机内存资源被大量消耗]","CVE_Consequence":"[该CVE会导致内存消耗过快，可能引发系统死锁，严重程度高]"}

cve: ./data/2016/8xxx/CVE-2016-8579.json
docker2aci <= 0.12.3 has an infinite loop when handling local images with cyclic dependency chain.

analysis: {"Conatiner":"docker2aci","CVE_Reason":"容器的运行会导致宿主机CPU资源被大量占用","CVE_Consequence":"由于存在无限循环，该CVE可能会导致宿主机CPU资源耗尽，严重程度较高"}

cve: ./data/2016/9xxx/CVE-2016-9191.json
The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity.

analysis: {"Conatiner":"[任何使用cgroup的容器镜像]","CVE_Reason"："[容器的运行会触发cgroup offline实现中的漏洞，导致宿主机系统挂起，可能消耗大量CPU资源或阻塞核心进程调度]"，"CVE_Consequence":"[该CVE可能导致宿主机完全不可用，严重程度为高]"}

cve: ./data/2017/1000xxx/CVE-2017-1000111.json
Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.

analysis: {"Conatiner":"[任何使用受影响Linux内核的容器镜像]","CVE_Reason"："[容器内的进程可能通过触发AF_PACKET sockets的堆越界问题，导致宿主机CPU资源被大量占用以处理错误状态和竞争条件]"，"CVE_Consequence":"[该CVE可能导致宿主机系统崩溃或性能显著下降，严重程度较高]"}

cve: ./data/2017/11xxx/CVE-2017-11468.json
Docker Registry before 2.6.2 in Docker Distribution does not properly restrict the amount of content accepted from a user, which allows remote attackers to cause a denial of service (memory consumption) via the manifest endpoint.

analysis: {"Container":"Docker Registry","CVE_Reason":"容器的运行会导致宿主机内存资源被大量占用","CVE_Consequence":"该CVE可能导致远程攻击者通过manifest endpoint发送大量数据，造成宿主机内存耗尽，从而引发拒绝服务攻击，严重程度较高"}

cve: ./data/2017/14xxx/CVE-2017-14179.json
Apport before 2.13 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers.

analysis: {"Container":"[存在CVE的容器镜像]","CVE_Reason":"[容器的运行会导致宿主机CPU资源被大量占用]","CVE_Consequence":"[该CVE可能导致资源耗尽、拒绝服务攻击，严重程度为高]"}

cve: ./data/2017/14xxx/CVE-2017-14180.json
Apport 2.13 through 2.20.7 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges, a different vulnerability than CVE-2017-14179.

analysis: {"Container":"[使用Apport 2.13至2.20.7版本的容器镜像]","CVE_Reason":"[容器内的进程可以通过PID命名空间滥用导致宿主机资源耗尽]","CVE_Consequence":"[该CVE可能导致宿主机资源（如CPU或内存）被大量占用，引发拒绝服务攻击，严重程度高]"}

cve: ./data/2017/14xxx/CVE-2017-14992.json
Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.

analysis: {"Conatiner":"Docker-CE (Moby)","CVE_Reason":"容器镜像层的解压过程中会消耗大量宿主机内存资源","CVE_Consequence":"该CVE可能导致宿主机内存资源耗尽，引发拒绝服务攻击，严重程度较高"}

cve: ./data/2018/10xxx/CVE-2018-10205.json
hyperstart 1.0.0 in HyperHQ Hyper has memory leaks in the container_setup_modules and hyper_rescan_scsi functions in container.c, related to runV 1.0.0 for Docker.

analysis: {"Container":"hyperhq/hyper","CVE_Reason":"容器的运行会导致宿主机内存资源被大量占用","CVE_Consequence":"该CVE会导致内存泄漏，随着容器运行时间增加，宿主机可用内存逐渐减少，可能引发宿主机性能下降或系统不稳定，严重程度为高"}

cve: ./data/2018/14xxx/CVE-2018-14646.json
The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.

analysis: {"Conatiner":"[使用受影响Linux内核的容器镜像]","CVE_Reason"："[容器内的攻击者可以利用此漏洞触发内核崩溃，导致宿主机完全不可用，可能需要重启宿主机恢复]","CVE_Consequence":"[该CVE会导致宿主机内核崩溃，严重程度为高]"}

cve: ./data/2018/16xxx/CVE-2018-16884.json
A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.

analysis: {"Container":"[任何使用NFS41+挂载的容器镜像]","CVE_Reason":"[容器内的恶意用户可以触发宿主机内核内存腐蚀，进而导致系统崩溃或潜在的权限提升]","CVE_Consequence":"[该CVE可能导致宿主机内核内存损坏、系统宕机，甚至可能的权限提升，严重程度高]"}

cve: ./data/2018/1xxx/CVE-2018-1277.json
Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctly enforce disc quotas for Docker image layers. A remote authenticated user may push an app with a malicious Docker image that will consume more space on a Diego cell than allocated in their quota, potentially causing a DoS against the cell.

analysis: {"Conatiner":"Cloud Foundry Garden-runC","CVE_Reason":"容器的运行会导致宿主机硬盘空间资源被大量占用","CVE_Consequence":"恶意Docker镜像会消耗超出配额的磁盘空间，可能导致Diego cell拒绝服务，严重程度较高"}

cve: ./data/2018/20xxx/CVE-2018-20699.json
Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go.

analysis: {"Conatiner":"Docker Engine","CVE_Reason":"容器的运行会导致宿主机内存资源被大量占用","CVE_Consequence":"该CVE可能使攻击者通过在 --cpuset-mems 或 --cpuset-cpus 参数中指定大整数值，导致 dockerd 进程内存消耗过大，最终造成拒绝服务。严重程度为高。"}

cve: ./data/2018/6xxx/CVE-2018-6552.json
Apport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers. The is_same_ns() function returns True when /proc/<global pid>/ does not exist in order to indicate that the crash should be handled in the global namespace rather than inside of a container. However, the portion of the data/apport code that decides whether or not to forward a crash to a container does not always replace sys.argv[1] with the value stored in the host_pid variable when /proc/<global pid>/ does not exist which results in the container pid being used in the global namespace. This flaw affects versions 2.20.8-0ubuntu4 through 2.20.9-0ubuntu7, 2.20.7-0ubuntu3.7, 2.20.7-0ubuntu3.8, 2.20.1-0ubuntu2.15 through 2.20.1-0ubuntu2.17, and 2.14.1-0ubuntu3.28.

analysis: {"Container":"[存在CVE的容器镜像]","CVE_Reason":"[容器的运行会导致宿主机CPU资源被大量占用]","CVE_Consequence":"[该CVE可能导致资源耗尽，引发拒绝服务攻击，严重程度高]"}

cve: ./data/2018/7xxx/CVE-2018-7480.json
The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure.

analysis: {"Conatiner":"[任何使用受影响Linux内核版本的容器]","CVE_Reason"："[容器内的进程可能触发blkcg_init_queue函数中的双重释放漏洞，导致宿主机内核崩溃或不稳定，进而可能消耗更多CPU资源来处理错误状态或重启服务]","CVE_Consequence":"[该CVE可能导致宿主机拒绝服务，严重程度较高]"}

cve: ./data/2019/10xxx/CVE-2019-10147.json
rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are not limited by cgroups during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.

analysis: {"Container":"rkt","CVE_Reason":"容器中的进程在使用`rkt enter`运行时未受cgroups限制，可能导致宿主机资源被过度消耗，包括CPU和内存资源。","CVE_Consequence":"攻击者可以利用此漏洞访问宿主机资源，可能导致宿主机资源耗尽，影响宿主机及其他容器的稳定性，严重程度较高。"}

cve: ./data/2019/12xxx/CVE-2019-12675.json
Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances.

analysis: {"Conatiner":"Cisco Firepower Threat Defense (FTD) Software","CVE_Reason":"容器逃逸后，攻击者可以在宿主机命名空间内执行命令，可能导致宿主机资源被滥用，例如占用大量CPU或内存资源","CVE_Consequence":"该CVE允许攻击者影响其他正在运行的FTD实例，可能完全控制宿主机，严重程度高"}

cve: ./data/2019/16xxx/CVE-2019-16884.json
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

analysis: {"Container":"[使用runc作为运行时的容器镜像]","CVE_Reason":"[容器内的恶意镜像可以绕过AppArmor限制，通过挂载覆盖宿主机的/proc目录，可能导致对宿主机资源的非授权访问和滥用，例如消耗大量CPU或内存资源]","CVE_Consequence":"[该CVE可能允许攻击者滥用宿主机资源，造成拒绝服务或其他安全风险，严重程度为高]"}

cve: ./data/2019/20xxx/CVE-2019-20794.json
An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.

analysis: {"Conatiner":"[使用Linux内核4.18至5.6.11的容器环境]","CVE_Reason"："[容器内的用户可以通过创建PID命名空间和挂载FUSE文件系统，导致宿主机任务挂起和资源被永久锁定]","CVE_Consequence":"[该CVE可能导致宿主机资源耗尽，严重程度较高]"}

cve: ./data/2019/3xxx/CVE-2019-3874.json
The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.

analysis: {"Conatiner":"[任何使用SCTP协议的容器镜像]","CVE_Reason"："[容器中的用户空间应用程序可以绕过cgroups限制，导致宿主机内存资源被大量占用]","CVE_Consequence":"[该CVE可能导致攻击者通过SCTP套接字缓冲区消耗大量宿主机内存资源，最终引发拒绝服务（严重）]"}

cve: ./data/2020/14xxx/CVE-2020-14298.json
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the container host and other containers running on the same host. This issue only affects docker version 1.13.1-108.git4ef4b30.el7, shipped in Red Hat Enterprise Linux 7 Extras. Both earlier and later versions are not affected.

analysis: {"Conatiner":"[受影响的容器镜像，例如使用docker 1.13.1-108.git4ef4b30.el7的容器]","CVE_Reason"："[恶意容器可能利用该漏洞逃逸并直接访问宿主机资源，进而导致宿主机CPU、内存或硬盘资源被大量占用]","CVE_Consequence":"[攻击者可以完全控制宿主机系统，影响其上运行的所有容器，严重程度为高危]"}

cve: ./data/2020/24xxx/CVE-2020-24263.json
Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host.

analysis: {"Conatiner":"Portainer","CVE_Reason":"非管理员用户可以创建具有关键权限的新容器（如SYS_MODULE），这些权限可能导致宿主机资源被大量消耗，例如CPU和内存资源","CVE_Consequence":"该CVE允许攻击者通过非管理员权限执行任意代码并控制Docker宿主机，严重程度为高"}

cve: ./data/2020/24xxx/CVE-2020-24264.json
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.

analysis: {"Container":"Portainer","CVE_Reason":"容器的运行可能导致宿主机的文件系统被绑定挂载，攻击者可利用此漏洞突破容器限制，进而完全控制Docker宿主机，可能消耗大量CPU和内存资源","CVE_Consequence":"该CVE可能导致容器逃逸，从而使攻击者完全控制宿主机，严重程度为高危"}

cve: ./data/2020/25xxx/CVE-2020-25220.json
The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.

analysis: {"Conatiner":"[使用受影响Linux内核版本的容器镜像]","CVE_Reason"："[由于use-after-free漏洞，攻击者可能触发异常情况，导致容器过度消耗宿主机CPU资源]","CVE_Consequence":"[该CVE可能导致宿主机系统性能下降甚至拒绝服务，严重程度为高]"}

cve: ./data/2020/36xxx/CVE-2020-36694.json
An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.

analysis: {"Container":"[使用Linux内核5.10以下版本的容器镜像]","CVE_Reason":"[容器中的进程可能利用此漏洞触发use-after-free问题，进而导致CPU资源被大量占用]","CVE_Consequence":"[该CVE可能导致宿主机的CPU资源耗尽，严重程度为高]"}