CVE-2018-10237 - 漏洞详情

CVE-2018-10237 (CNNVD-201804-1461)

MEDIUM

中文标题:

Google Guava 代码问题漏洞

英文标题:

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers ...

CVSS分数: 5.9

发布时间: 2018-04-26 21:00:00

漏洞类型: 代码问题

状态: PUBLISHED

数据质量分数: 0.30

数据版本: v3

漏洞描述

中文描述:

Google Guava是美国谷歌（Google）公司的一款包括图形库、函数类型、I/O和字符串处理等的Java核心库。 Google Guava 11.0版本至24.1.1版本（不包括24.1.1版本）中存在代码问题漏洞。该漏洞源于网络系统或产品的代码开发过程中存在设计或实现不当的问题。

英文描述:

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

CWE类型:

CWE-770

受影响产品

厂商	产品	版本	版本范围	平台	CPE
google	guava	*	-	-	`cpe:2.3:a:google:guava::::::::`
redhat	openshift_container_platform	3.11	-	-	`cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*`
redhat	openstack	13	-	-	`cpe:2.3:a:redhat:openstack:13:::::::*`
redhat	satellite	6.4	-	-	`cpe:2.3:a:redhat:satellite:6.4:::::::*`
redhat	satellite_capsule	6.4	-	-	`cpe:2.3:a:redhat:satellite_capsule:6.4:::::::*`
redhat	virtualization	4.2	-	-	`cpe:2.3:a:redhat:virtualization:4.2:::::::*`
redhat	virtualization_host	4.0	-	-	`cpe:2.3:a:redhat:virtualization_host:4.0:::::::*`
redhat	jboss_enterprise_application_platform	6.0.0	-	-	`cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:::::::*`
redhat	jboss_enterprise_application_platform	6.4.0	-	-	`cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:::::::*`
redhat	jboss_enterprise_application_platform	7.1.0	-	-	`cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:::::::*`
redhat	openshift_container_platform	4.1	-	-	`cpe:2.3:a:redhat:openshift_container_platform:4.1:::::::*`
redhat	virtualization	4.0	-	-	`cpe:2.3:a:redhat:virtualization:4.0:::::::*`
oracle	banking_payments	*	-	-	`cpe:2.3:a:oracle:banking_payments::::::::`
oracle	communications_ip_service_activator	7.3.0	-	-	`cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:::::::*`
oracle	communications_ip_service_activator	7.4.0	-	-	`cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:::::::*`
oracle	customer_management_and_segmentation_foundation	18.0	-	-	`cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:::::::*`
oracle	database_server	12.2.0.1	-	-	`cpe:2.3:a:oracle:database_server:12.2.0.1:::::::*`
oracle	database_server	18c	-	-	`cpe:2.3:a:oracle:database_server:18c:::::::*`
oracle	database_server	19c	-	-	`cpe:2.3:a:oracle:database_server:19c:::::::*`
oracle	flexcube_investor_servicing	12.1.0	-	-	`cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:::::::*`
oracle	flexcube_investor_servicing	12.3.0	-	-	`cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:::::::*`
oracle	flexcube_investor_servicing	12.4.0	-	-	`cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:::::::*`
oracle	flexcube_investor_servicing	14.0.0	-	-	`cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:::::::*`
oracle	flexcube_investor_servicing	14.1.0	-	-	`cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:::::::*`
oracle	flexcube_private_banking	12.0.0	-	-	`cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:::::::*`
oracle	flexcube_private_banking	12.1.0	-	-	`cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*`
oracle	retail_integration_bus	15.0	-	-	`cpe:2.3:a:oracle:retail_integration_bus:15.0:::::::*`
oracle	retail_integration_bus	16.0	-	-	`cpe:2.3:a:oracle:retail_integration_bus:16.0:::::::*`
oracle	retail_xstore_point_of_service	7.1	-	-	`cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::*`
oracle	retail_xstore_point_of_service	15.0	-	-	`cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:::::::*`
oracle	retail_xstore_point_of_service	16.0	-	-	`cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:::::::*`
oracle	retail_xstore_point_of_service	17.0	-	-	`cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::*`
oracle	weblogic_server	12.2.1.3.0	-	-	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

RHSA-2018:2428 vendor-advisory
cve.org

访问

RHSA-2018:2740 vendor-advisory
cve.org

访问

RHSA-2018:2741 vendor-advisory
cve.org

访问

RHSA-2018:2742 vendor-advisory
cve.org

访问

RHSA-2018:2598 vendor-advisory
cve.org

访问

RHSA-2018:2643 vendor-advisory
cve.org

访问

RHSA-2018:2424 vendor-advisory
cve.org

访问

RHSA-2018:2423 vendor-advisory
cve.org

访问

RHSA-2018:2425 vendor-advisory
cve.org

访问

RHSA-2018:2927 vendor-advisory
cve.org

访问

1041707 vdb-entry
cve.org

访问

RHSA-2018:2743 vendor-advisory
cve.org

访问

[hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project mailing-list
cve.org

访问

[hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project mailing-list
cve.org

访问

[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 mailing-list
cve.org

访问

[activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0 mailing-list
cve.org

访问

[activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1 mailing-list
cve.org

访问

[cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3 mailing-list
cve.org

访问

[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar mailing-list
cve.org

访问

RHSA-2019:2858 vendor-advisory
cve.org

访问

[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities mailing-list
cve.org

访问

RHSA-2019:3149 vendor-advisory
cve.org

访问

[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities mailing-list
cve.org

访问

[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities mailing-list
cve.org

访问

[cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237 mailing-list
cve.org

访问

[cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237 mailing-list
cve.org

访问

[cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237 mailing-list
cve.org

访问

[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka mailing-list
cve.org

访问

[cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237 mailing-list
cve.org

访问

[cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237 mailing-list
cve.org

访问

[cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237 mailing-list
cve.org

访问

[syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15? mailing-list
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

[hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10 mailing-list
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version mailing-list
cve.org

访问

[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version mailing-list
cve.org

访问

[flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency mailing-list
cve.org

访问

[flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency mailing-list
cve.org

访问

[flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency mailing-list
cve.org

访问

[lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava mailing-list
cve.org

访问

[lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava mailing-list
cve.org

访问

[lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava mailing-list
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core mailing-list
cve.org

访问

[flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency mailing-list
cve.org

访问

[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes mailing-list
cve.org

访问

[storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability mailing-list
cve.org

访问

[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities mailing-list
cve.org

访问

[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version mailing-list
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

CVSS评分详情

5.9

MEDIUM

CVSS向量: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS版本: 3.1

机密性

NONE

完整性

NONE

可用性

HIGH

时间信息

发布时间:

2018-04-26 21:00:00

修改时间:

2024-08-05 07:32:01

创建时间:

2025-11-11 15:34:59

更新时间:

2025-11-11 15:53:39

利用信息

暂无可利用代码信息

数据源详情

数据源	记录ID	版本	提取时间
CVE	`cve_CVE-2018-10237`	2025-11-11 15:19:37	2025-11-11 07:34:59
NVD	`nvd_CVE-2018-10237`	2025-11-11 14:55:54	2025-11-11 07:43:35
CNNVD	`cnnvd_CNNVD-201804-1461`	2025-11-11 15:10:00	2025-11-11 07:53:39

版本与语言

当前版本: v3

主要语言: EN

支持语言:

EN ZH

安全公告

暂无安全公告信息

变更历史

v3 CNNVD

2025-11-11 15:53:39

vulnerability_type: 未提取 → 代码问题; cnnvd_id: 未提取 → CNNVD-201804-1461; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']

查看详细变更

vulnerability_type: 未提取 -> 代码问题
cnnvd_id: 未提取 -> CNNVD-201804-1461
data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']

v2 NVD

2025-11-11 15:43:35

cvss_score: 未提取 → 5.9; cvss_vector: NOT_EXTRACTED → CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H; cvss_version: NOT_EXTRACTED → 3.1; affected_products_count: 0 → 33; data_sources: ['cve'] → ['cve', 'nvd']

查看详细变更

cvss_score: 未提取 -> 5.9
cvss_vector: NOT_EXTRACTED -> CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss_version: NOT_EXTRACTED -> 3.1
affected_products_count: 0 -> 33
data_sources: ['cve'] -> ['cve', 'nvd']

CVE-2018-10237 (CNNVD-201804-1461)

中文标题:

Google Guava 代码问题漏洞

英文标题:

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers ...

漏洞描述

中文描述:

英文描述:

CWE类型:

标签:

受影响产品

解决方案

中文解决方案:

英文解决方案:

临时解决方案:

参考链接

CVSS评分详情

时间信息

利用信息

数据源详情

版本与语言

安全公告

变更历史