Vulnerability Details : CVE-2017-20189
Potential exploit
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
Products affected by CVE-2017-20189
- cpe:2.3:a:clojure:clojure:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-20189
2.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-20189
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2024-01-30 |
CWE ids for CVE-2017-20189
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-20189
-
https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
CLJ-2204 Disable serialization of proxy classes · clojure/clojure@271674c · GitHubPatch
-
https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378
Deserialization of Untrusted Data in org.clojure:clojure | SnykPatch;Third Party Advisory
-
https://clojure.atlassian.net/browse/CLJ-2204
[CLJ-2204] Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization - JIRAExploit;Patch;Vendor Advisory
-
https://hackmd.io/%40fe1w0/HyefvRQKp
Vulnerability Details - Clojure Command Injection by Deserialization - HackMDExploit;Third Party Advisory
-
https://github.com/frohoff/ysoserial/pull/68/files
Add a gadget chain for exploiting the presence of clojure. by JackOfMostTrades · Pull Request #68 · frohoff/ysoserial · GitHubPatch
Jump to