GHSA-mvr2-9pj6-7w5j

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Database specific

{
    "nvd_published_at": "2018-04-26T21:29:00Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-502",
        "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-11T18:34:57Z"
}

References

Affected packages

Maven

com.google.guava:guava

Package

Name: com.google.guava:guava; View open source insights on deps.dev
Purl: pkg:maven/com.google.guava/guava

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0

Fixed

24.1.1-android

Affected versions

11.*

11.0

11.0.1

11.0.2

12.*

12.0-rc1

12.0-rc2

12.0

12.0.1

13.*

13.0-rc1

13.0-rc2

13.0

13.0.1

14.*

14.0-rc1

14.0-rc2

14.0-rc3

14.0

14.0.1

15.*

15.0-rc1

15.0

16.*

16.0-rc1

16.0

16.0.1

17.*

17.0-rc1

17.0-rc2

17.0

18.*

18.0-rc1

18.0-rc2

18.0

19.*

19.0-rc1

19.0-rc2

19.0-rc3

19.0

20.*

20.0-rc1

20.0

21.*

21.0-rc1

21.0-rc2

21.0

22.*

22.0-rc1

22.0-rc1-android

22.0

22.0-android

23.*

23.0-rc1

23.0-rc1-android

23.0

23.0-android

23.1-android

23.1-jre

23.2-android

23.2-jre

23.3-android

23.3-jre

23.4-android

23.4-jre

23.5-android

23.5-jre

23.6-android

23.6-jre

23.6.1-android

23.6.1-jre

24.*

24.0-android

24.0-jre

24.1-android

24.1-jre

com.google.guava:guava-jdk5

Package

Name: com.google.guava:guava-jdk5; View open source insights on deps.dev
Purl: pkg:maven/com.google.guava/guava-jdk5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

17.0

Affected versions

13.*

13.0

14.*

14.0.1-rc1

14.0.1

16.*

16.0-rc1

16.0

17.*

17.0-rc1

17.0-rc2

17.0

com.googlecode.guava-osgi:guava-osgi

Package

Name: com.googlecode.guava-osgi:guava-osgi; View open source insights on deps.dev
Purl: pkg:maven/com.googlecode.guava-osgi/guava-osgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

11.0.1

Affected versions

3.*

3.0.0

4.*

4.0.0

5.*

5.0.0

6.*

6.0.0

7.*

7.0.0

8.*

8.0.0

9.*

9.0.0

10.*

10.0.0

10.0.1

11.*

11.0.0

11.0.1

de.mhus.ports:vaadin-shared-deps

Package

Name: de.mhus.ports:vaadin-shared-deps; View open source insights on deps.dev
Purl: pkg:maven/de.mhus.ports/vaadin-shared-deps

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

7.4.0

Affected versions

1.*

1.3.1

1.3.4

1.3.6

1.3.7

1.6.0

1.6.1

6.*

6.2.0

7.*

7.0.0

7.1.0

7.2.0

7.4.0

org.hudsonci.lib.guava:guava

Package

Name: org.hudsonci.lib.guava:guava; View open source insights on deps.dev
Purl: pkg:maven/org.hudsonci.lib.guava/guava

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

14.0.1-h-3

Affected versions

14.*

14.0.1-h-1

14.0.1-h-2

14.0.1-h-3

org.sonatype.sisu:sisu-guava

Package

Name: org.sonatype.sisu:sisu-guava; View open source insights on deps.dev
Purl: pkg:maven/org.sonatype.sisu/sisu-guava

Affected ranges

Affected versions

0.*

0.11.1