{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46871?format=json","vulnerability_id":"VCID-3j6v-1ab5-67gt","summary":"Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization\nIn Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.","aliases":[{"alias":"CVE-2017-20189"},{"alias":"GHSA-jgxc-8mwq-9xqw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68576?format=json","purl":"pkg:maven/org.clojure/clojure@1.9.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.clojure/clojure@1.9.0"}],"affected_packages":[],"references":[{"reference_url":"https://clojure.atlassian.net/browse/CLJ-2204","reference_id":"","reference_type":"","scores":[],"url":"https://clojure.atlassian.net/browse/CLJ-2204"},{"reference_url":"https://github.com/clojure/clojure","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/clojure/clojure"},{"reference_url":"https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3"},{"reference_url":"https://github.com/frohoff/ysoserial/pull/68/files","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/frohoff/ysoserial/pull/68/files"},{"reference_url":"https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ"},{"reference_url":"https://hackmd.io/%40fe1w0/HyefvRQKp","reference_id":"","reference_type":"","scores":[],"url":"https://hackmd.io/%40fe1w0/HyefvRQKp"},{"reference_url":"https://security.netapp.com/advisory/ntap-20241108-0002","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20241108-0002"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378","reference_id":"","reference_type":"","scores":[],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-20189","reference_id":"CVE-2017-20189","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-20189"},{"reference_url":"https://github.com/advisories/GHSA-jgxc-8mwq-9xqw","reference_id":"GHSA-jgxc-8mwq-9xqw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jgxc-8mwq-9xqw"}],"weaknesses":[{"cwe_id":502,"name":"Deserialization of Untrusted Data","description":"The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3j6v-1ab5-67gt"}