Deserialization of Untrusted Data
Vulnerable module: com.google.guava:guava
Introduced through: com.github.fge:email@example.com
Introduced through: org.jboss.resteasy:firstname.lastname@example.org-SNAPSHOT › com.github.fge:email@example.com › com.github.fge:firstname.lastname@example.org › com.google.guava:email@example.com
com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data.
During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size:
AtomicDoubleArray (when serialized with Java serialization)
CompoundOrdering (when serialized with GWT serialization)
An attacker may be able to send a specially crafted request which with then cause the server to allocate all it's memory, without validation whether the data size is reasonable.