{"url":"http://public2.vulnerablecode.io/api/packages/68576?format=json","purl":"pkg:maven/org.clojure/clojure@1.9.0","type":"maven","namespace":"org.clojure","name":"clojure","version":"1.9.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.11.2","latest_non_vulnerable_version":"1.12.0-alpha9","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46871?format=json","vulnerability_id":"VCID-3j6v-1ab5-67gt","summary":"Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization\nIn Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.","references":[{"reference_url":"https://clojure.atlassian.net/browse/CLJ-2204","reference_id":"","reference_type":"","scores":[],"url":"https://clojure.atlassian.net/browse/CLJ-2204"},{"reference_url":"https://github.com/clojure/clojure","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/clojure/clojure"},{"reference_url":"https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3"},{"reference_url":"https://github.com/frohoff/ysoserial/pull/68/files","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/frohoff/ysoserial/pull/68/files"},{"reference_url":"https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ"},{"reference_url":"https://hackmd.io/%40fe1w0/HyefvRQKp","reference_id":"","reference_type":"","scores":[],"url":"https://hackmd.io/%40fe1w0/HyefvRQKp"},{"reference_url":"https://security.netapp.com/advisory/ntap-20241108-0002","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20241108-0002"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378","reference_id":"","reference_type":"","scores":[],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-20189","reference_id":"CVE-2017-20189","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-20189"},{"reference_url":"https://github.com/advisories/GHSA-jgxc-8mwq-9xqw","reference_id":"GHSA-jgxc-8mwq-9xqw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jgxc-8mwq-9xqw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68576?format=json","purl":"pkg:maven/org.clojure/clojure@1.9.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.clojure/clojure@1.9.0"}],"aliases":["CVE-2017-20189","GHSA-jgxc-8mwq-9xqw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3j6v-1ab5-67gt"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.clojure/clojure@1.9.0"}