PT-2018-3541 · Google+1 · Google Guava+1

Publicado

2018-04-26

·

Atualizado

2026-05-18

·

CVE-2018-10237

CVSS v3.1

5.9

Média

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions: Google Guava versions 11.0 through 24.x before 24.1.1
Description: The issue is related to unbounded memory allocation in the AtomicDoubleArray and CompoundOrdering classes. This can be exploited by a remote attacker to conduct denial of service attacks against servers that rely on this library and deserialize attacker-provided data. The vulnerability arises because these classes perform eager allocation without proper checks on the data sent by a client and its size.
Recommendations: For Google Guava versions 11.0 through 24.x before 24.1.1, update to version 24.1.1 or later to resolve the issue. As a temporary workaround, consider restricting the deserialization of attacker-provided data to minimize the risk of exploitation. Additionally, restrict access to the AtomicDoubleArray and CompoundOrdering classes until the issue is resolved.

Exploit

Correção

DoS

Deserialization of Untrusted Data

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502CWE-770

Identificadores relacionados

ALT-PU-2018-1834
BDU:2020-03317
CLEANSTART-2026-DD05788
CLEANSTART-2026-JU62349
CLEANSTART-2026-KU61465
CLEANSTART-2026-LE11246
CLEANSTART-2026-RN56220
CLEANSTART-2026-SQ91016
CLEANSTART-2026-SV95049
CLEANSTART-2026-VH41554
CLEANSTART-2026-WK99982
CVE-2018-10237
GHSA-MVR2-9PJ6-7W5J
RHSA-2018:2423
RHSA-2018:2424
RHSA-2018:2598
RHSA-2018:2643
RHSA-2018:2741
RHSA-2018:2742
RHSA-2018:2743
RHSA-2018:2927

Produtos afetados

Alt Linux
Google Guava