Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.google.guava:guava(Maven) | 11.0 | 24.1.1-android | N/A |
| com.google.guava:guava-jdk5(Maven) | 0 | N/A | N/A |
| com.googlecode.guava-osgi:guava-osgi(Maven) | 0 | N/A | N/A |
| de.mhus.ports:vaadin-shared-deps(Maven) | 0 | N/A | N/A |
| org.hudsonci.lib.guava:guava(Maven) | 0 | N/A | N/A |
| org.sonatype.sisu:sisu-guava(Maven) | N/A | N/A | N/A |
CVSS Metrics
