84 matches found
CVE-2017-20189
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects...
Clojure Security Vulnerabilities
Clojure is a programming language open-sourced by Clojure. A security vulnerability exists in Clojure versions prior to 1.9.0. An attacker exploited the vulnerability to execute arbitrary code...
CVE-2017-20189
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects...
PT-2024-6048 · Clojure +1 · Clojure +1
Name of the Vulnerable Software and Affected Versions: Clojure versions prior to 1.9.0 Description: The issue is related to the deserialization of untrusted data in the Clojure programming language interpreter. It allows a remote attacker to execute arbitrary code upon deserialization. This is...
CVE-2017-20189
CVE-2017-20189 is a deserialization flaw in Clojure prior to 1.9.0 that allows remote attackers to execute arbitrary code when untrusted serialized objects are deserialized on the server. Public details in connected docs confirm affected Clojure versions (including 1.7.x–1.11.x and 1.12.0-alpha5 ...
CVE-2017-20189
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects...
CVE-2017-20189
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects...
Debian dla-3647 : libtrapperkeeper-webserver-jetty9-clojure - security update
The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3647 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3647-1 [email protected] https://www.debian.org/lts/security/...
Debian: Security Advisory (DLA-3647-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
DLA-3647-1 trapperkeeper-webserver-jetty9-clojure - security update
Bulletin has no description...
[SECURITY] [DLA 3647-1] trapperkeeper-webserver-jetty9-clojure
Debian LTS Advisory DLA-3647-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany November 07, 2023 https://wiki.debian.org/LTS Package : trapperkeeper-webserver-jetty9-clojure Version : 1.7.0-2+deb10u2 Debian Bug : 1055348 The recent update of jetty9, released as DL...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data. If a server can deserialize objects from an untrusted source, it is possible to craft a serialized object that runs arbitrary code on deserialization. Note: The attacker would likely need to be in a...
au.com.permeance:liferay-clojure-integration (=0.1), ch.cern:entwined-stm (>=1.0.0 <=1.0.1) +329 more potentially affected by CVE-2017-20189 via org.clojure:clojure (>=1.2.0 <=1.9.0-beta3)
org.clojure:clojure MAVEN version =1.2.0, =1.0.0, =1.0.0-RELEASE, =1.0.0, =0.1.0, =8.4.0, =0.1.0, =0.0.3, =1.9.921, =0.0.1, =0.0.1, =0.2.2 and more Source cves: CVE-2017-20189 Source advisory: SNYK:JAVA-ORGCLOJURE-5740378...
CVE-2023-28628
lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 authority-regex allows an attacker to send malicious URLs to be parsed by the lambdaisland/uri and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in questio...
CVE-2023-28628
lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 authority-regex allows an attacker to send malicious URLs to be parsed by the lambdaisland/uri and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in questio...
Design/Logic Flaw
lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 authority-regex allows an attacker to send malicious URLs to be parsed by the lambdaisland/uri and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in questio...
CVE-2023-28628 `authority-regex` returns the wrong authority in lambdaisland/uri
lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 authority-regex allows an attacker to send malicious URLs to be parsed by the lambdaisland/uri and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in questio...
CVE-2023-28628 `authority-regex` returns the wrong authority in lambdaisland/uri
lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 authority-regex allows an attacker to send malicious URLs to be parsed by the lambdaisland/uri and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in questio...
CVE-2023-28628
CVE-2023-28628 affects lambdaisland/uri (Clojure/ClojureScript) prior to 1.14.120, where authority-regex does not correctly handle backslashes in usernames, causing the library to parse and report an incorrect host (e.g., payload https://[email protected] returns host google.com instead of e...
CVE-2022-36007
Venice (com.github.jlangch:venice) contains a Partial Path Traversal flaw in the load-file and load-resource functions. When given absolute paths whose name prefix matches a configured load path (e.g., "/Users/foo/resources"), an attacker can access files outside the intended directory (e.g., "/U...