Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qZ3hjLThtd3EtOXhxd84AA4mo
Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
Permalink: https://github.com/advisories/GHSA-jgxc-8mwq-9xqwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZ3hjLThtd3EtOXhxd84AA4mo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 11 months ago
Updated: 10 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jgxc-8mwq-9xqw, CVE-2017-20189
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-20189
- https://github.com/frohoff/ysoserial/pull/68/files
- https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
- https://clojure.atlassian.net/browse/CLJ-2204
- https://hackmd.io/%40fe1w0/HyefvRQKp
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378
- https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ
- https://github.com/advisories/GHSA-jgxc-8mwq-9xqw
Blast Radius: 36.5
Affected Packages
maven:org.clojure:clojure
Dependent packages: 439Dependent repositories: 5,297
Downloads:
Affected Version Ranges: < 1.9.0
Fixed in: 1.9.0
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0
All unaffected versions: 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0