CVE-2017-20189

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
clojureclojure
𝑥
< 1.9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
clojure
bullseye
1.10.2-1
fixed
bookworm
1.11.1-2
fixed
sid
1.11.2-1
fixed
trixie
1.11.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
clojure
noble
not-affected
mantic
not-affected
lunar
not-affected
jammy
not-affected
focal
not-affected
bionic
needs-triage
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://clojure.atlassian.net/browse/CLJ-2204
https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
https://github.com/frohoff/ysoserial/pull/68/files
https://hackmd.io/%40fe1w0/HyefvRQKp
https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378
https://clojure.atlassian.net/browse/CLJ-2204
https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
https://github.com/frohoff/ysoserial/pull/68/files
https://hackmd.io/%40fe1w0/HyefvRQKp
https://security.netapp.com/advisory/ntap-20241108-0002/
https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378