PRIOn knowledge basePRION:CVE-2017-20189

HistoryJan 22, 2024 - 6:15 a.m.

Deserialization of untrusted data

2024-01-2206:15:00

PRIOn knowledge base

www.prio-n.com

clojure

untrusted data

deserialization

vulnerability

nvd

7.4 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

32.6%

JSON

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.

CPENameOperatorVersion
clojurelt1.9.0

CPE	Name	Operator	Version
	clojure	lt	1.9.0

References

clojure.atlassian.net/browse/CLJ-2204

github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3

github.com/frohoff/ysoserial/pull/68/files

hackmd.io/%40fe1w0/HyefvRQKp

security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378