CVE-2017-20189
published 2024-01-22CVE-2017-20189: In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.32%
67.3th percentile
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clojure | clojure | < 1.9.0 | 1.9.0 |
| clojure | clojure | >= 0 < 1.9.0-1 | 1.9.0-1 |
| clojure | clojure | >= 0 < 1.9.0-1 | 1.9.0-1 |
| clojure | clojure | >= 0 < 1.9.0-1 | 1.9.0-1 |
| clojure | clojure | >= 0 < 1.9.0-1 | 1.9.0-1 |
| debian | clojure | < clojure 1.9.0-1 (bookworm) | clojure 1.9.0-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability involves Java deserialization of untrusted objects in Clojure before 1.9.0, where classes can be used to construct a serialized object that executes arbitrary code upon deserialization. Monitor for deserialization of untrusted data in applications using Clojure < 1.9.0. ↗
- ·Exploitation is only relevant if the server deserializes untrusted objects; scope is listed as local, limiting remote attack surface. ↗
- ·Fixed in Clojure 1.9.0-1 on all tracked Debian releases (bookworm, bullseye, forky, sid, trixie). Ensure deployed Clojure version is 1.9.0 or later. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-20189: clojure - In Clojure before 1.9.0, classes can be used to construct a serialized object th...
vendor_debian·2017·CVSS 9.8
CVE-2017-20189 [CRITICAL] CVE-2017-20189: clojure - In Clojure before 1.9.0, classes can be used to construct a serialized object th...
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
Scope: local
bookworm: resolved (fixed in 1.9.0-1)
bullseye: resolved (fixed in 1.9.0-1)
forky: resolved (fixed in 1.9.0-1)
sid: resolved (fixed in 1.9.0-1)
trixie: resolved (fixed in 1.9.0-1)
OSV
Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization
osv·2024-01-22
CVE-2017-20189 [CRITICAL] Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization
Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
GHSA
Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization
ghsa·2024-01-22
CVE-2017-20189 [CRITICAL] CWE-502 Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization
Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
OSV
CVE-2017-20189: In Clojure before 1
osv·2024-01-22·CVSS 9.8
CVE-2017-20189 [CRITICAL] CVE-2017-20189: In Clojure before 1
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://clojure.atlassian.net/browse/CLJ-2204https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3https://github.com/frohoff/ysoserial/pull/68/fileshttps://hackmd.io/%40fe1w0/HyefvRQKphttps://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378https://clojure.atlassian.net/browse/CLJ-2204https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3https://github.com/frohoff/ysoserial/pull/68/fileshttps://hackmd.io/%40fe1w0/HyefvRQKphttps://security.netapp.com/advisory/ntap-20241108-0002/https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378
2024-01-22
Published