CVE-2018-10237
Severity
5.9MEDIUM
EPSS
3.3%
top 12.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 26
Latest updateOct 15
Description
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6
Affected Packages22 packages
Also affects: Openshift Container Platform 3.11, 4.1
Patches
🔴Vulnerability Details
4📋Vendor Advisories
7Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Web Services (Google Guava) — CVE-2018-10237↗2021-10-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (Google Guava) — CVE-2018-10237↗2021-01-15
Oracle
▶
Oracle▶
Oracle Oracle Retail Applications Risk Matrix: Xstore Office (Google Guava) — CVE-2018-10237↗2020-04-15
Red Hat▶
guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service↗2018-04-25
💬Community
3Bugzilla▶
CVE-2018-10237 guava20: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service [fedora-28]↗2018-05-04
Bugzilla▶
CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service↗2018-05-01
Bugzilla▶
CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service [fedora-all]↗2018-05-01