GHSA-mvr2-9pj6-7w5j

Suggest an improvement
Source
https://github.com/advisories/GHSA-mvr2-9pj6-7w5j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mvr2-9pj6-7w5j
Aliases
Related
Published
2020-06-15T20:35:11Z
Modified
2024-10-22T05:29:03.107335Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service in Google Guava
Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Database specific 
{
    "nvd_published_at": "2018-04-26T21:29:00Z",
    "cwe_ids": [
        "CWE-502",
        "CWE-770"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-11T18:34:57Z"
}
References

Affected packages

Maven / com.google.guava:guava

Package

Name
com.google.guava:guava
View open source insights on deps.dev
Purl
pkg:maven/com.google.guava/guava

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0
Fixed
24.1.1-android

Affected versions

11.*

11.0
11.0.1
11.0.2

12.*

12.0-rc1
12.0-rc2
12.0
12.0.1

13.*

13.0-rc1
13.0-rc2
13.0
13.0.1

14.*

14.0-rc1
14.0-rc2
14.0-rc3
14.0
14.0.1

15.*

15.0-rc1
15.0

16.*

16.0-rc1
16.0
16.0.1

17.*

17.0-rc1
17.0-rc2
17.0

18.*

18.0-rc1
18.0-rc2
18.0

19.*

19.0-rc1
19.0-rc2
19.0-rc3
19.0

20.*

20.0-rc1
20.0

21.*

21.0-rc1
21.0-rc2
21.0

22.*

22.0-rc1
22.0-rc1-android
22.0
22.0-android

23.*

23.0-rc1
23.0-rc1-android
23.0
23.0-android
23.1-android
23.1-jre
23.2-android
23.2-jre
23.3-android
23.3-jre
23.4-android
23.4-jre
23.5-android
23.5-jre
23.6-android
23.6-jre
23.6.1-android
23.6.1-jre

24.*

24.0-android
24.0-jre
24.1-android
24.1-jre

Maven / com.google.guava:guava-jdk5

Package

Name
com.google.guava:guava-jdk5
View open source insights on deps.dev
Purl
pkg:maven/com.google.guava/guava-jdk5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
17.0

Affected versions

13.*

13.0

14.*

14.0.1-rc1
14.0.1

16.*

16.0-rc1
16.0

17.*

17.0-rc1
17.0-rc2
17.0

Maven / com.googlecode.guava-osgi:guava-osgi

Package

Name
com.googlecode.guava-osgi:guava-osgi
View open source insights on deps.dev
Purl
pkg:maven/com.googlecode.guava-osgi/guava-osgi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
11.0.1

Affected versions

3.*

3.0.0

4.*

4.0.0

5.*

5.0.0

6.*

6.0.0

7.*

7.0.0

8.*

8.0.0

9.*

9.0.0

10.*

10.0.0
10.0.1

11.*

11.0.0
11.0.1

Maven / de.mhus.ports:vaadin-shared-deps

Package

Name
de.mhus.ports:vaadin-shared-deps
View open source insights on deps.dev
Purl
pkg:maven/de.mhus.ports/vaadin-shared-deps

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
7.4.0

Affected versions

1.*

1.3.1
1.3.4
1.3.6
1.3.7
1.6.0
1.6.1

6.*

6.2.0

7.*

7.0.0
7.1.0
7.2.0
7.4.0

Maven / org.hudsonci.lib.guava:guava

Package

Name
org.hudsonci.lib.guava:guava
View open source insights on deps.dev
Purl
pkg:maven/org.hudsonci.lib.guava/guava

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
14.0.1-h-3

Affected versions

14.*

14.0.1-h-1
14.0.1-h-2
14.0.1-h-3

Maven / org.sonatype.sisu:sisu-guava

Package

Name
org.sonatype.sisu:sisu-guava
View open source insights on deps.dev
Purl
pkg:maven/org.sonatype.sisu/sisu-guava

Affected ranges

Affected versions

0.*

0.11.1