Unbounded Memory Allocation Vulnerability in Google Guava Library
CVE-2018-10237

5.9MEDIUM

Key Information:

Vendor
Google
Status
Guava
Vendor
CVE Published:
26 April 2018

Summary

The Google Guava library, specifically versions 11.0 to 24.x prior to 24.1.1, is susceptible to unbounded memory allocation, which can be exploited by remote attackers. The vulnerability stems from improper checks when deserializing data, particularly through the AtomicDoubleArray and CompoundOrdering classes. This design flaw allows attackers to send carefully crafted data that can cause denial of service by exhausting server resources, compromising the availability of applications that rely on this library.

References

https://access.redhat.com/errata/RHSA-2018:2428
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2740
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2741
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.