CVE-2018-10237

5.9MEDIUM

Key Information:

Vendor
Google
Status
Guava
Vendor
CVE Published:
26 April 2018

Summary

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

References

https://access.redhat.com/errata/RHSA-2018:2428
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2740
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2741
vendor-advisoryx_refsource_REDHAT

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.