CVE-2018-10237
moderate-risk
Published 2018-04-26
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Do I need to act?
~
3.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
Guava
Satellite Capsule
Customer Management And Segmentation Foundation
References (106)
Broken Link
http://www.securitytracker.com/id/1041707
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2423
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2424
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2425
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2428
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2598
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2643
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2740
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2741
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2742
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2743
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2927
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3149
and 86 more references
48
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
7/34 · Low
Exposure
23/34 · High