CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Published: Apr 26, 2018
Updated: Nov 8, 2023
CVE: CVE-2018-10237
GHSA: GHSA-mvr2-9pj6-7w5j
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
google / guava	11.0	24.1.1
redhat / virtualization_host	4.0	4.0.x
redhat / virtualization	4.2	4.2.x
redhat / openshift_container_platform	3.11	3.11.x
redhat / satellite	6.4	6.4.x
redhat / openstack	13	13.x
redhat / satellite_capsule	6.4	6.4.x
redhat / jboss_enterprise_application_platform	6.0.0	6.0.0.x
redhat / jboss_enterprise_application_platform	6.4.0	6.4.0.x
redhat / jboss_enterprise_application_platform	7.1.0	7.1.0.x
redhat / openshift_container_platform	4.1	4.1.x
redhat / virtualization	4.0	4.0.x
oracle / flexcube_investor_servicing	12.3.0	12.3.0.x
oracle / flexcube_investor_servicing	12.1.0	12.1.0.x
oracle / retail_xstore_point_of_service	15.0	15.0.x
oracle / flexcube_private_banking	12.1.0	12.1.0.x
oracle / retail_xstore_point_of_service	7.1	7.1.x
oracle / flexcube_private_banking	12.0.0	12.0.0.x
oracle / retail_integration_bus	15.0	15.0.x
oracle / weblogic_server	12.2.1.3.0	12.2.1.3.0.x
oracle / database_server	12.2.0.1	12.2.0.1.x
oracle / flexcube_investor_servicing	12.4.0	12.4.0.x
oracle / retail_xstore_point_of_service	16.0	16.0.x
oracle / database_server	18c	18c.x
oracle / flexcube_investor_servicing	14.0.0	14.0.0.x
oracle / retail_integration_bus	16.0	16.0.x
oracle / database_server	19c	19c.x
oracle / flexcube_investor_servicing	14.1.0	14.1.0.x
oracle / retail_xstore_point_of_service	17.0	17.0.x
oracle / communications_ip_service_activator	7.4.0	7.4.0.x
oracle / communications_ip_service_activator	7.3.0	7.3.0.x
oracle / banking_payments	14.1.0	14.4.0.x
oracle / customer_management_and_segmentation_foundation	18.0	18.0.x
com.google.guava / guava	11.0	24.1.1

Vulnerability Database

289,599

CVE-2018-10237