VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-4thq-85c5-d7cs

Essentials
Severities (28)
References (12)
Severity details (24)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-4thq-85c5-d7cs
Aliases	CVE-2017-20189 GHSA-jgxc-8mwq-9xqw
Summary	In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-502	Deserialization of Untrusted Data
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.03376	https://api.first.org/data/v1/epss?cve=CVE-2017-20189
epss	0.03376	https://api.first.org/data/v1/epss?cve=CVE-2017-20189
epss	0.03376	https://api.first.org/data/v1/epss?cve=CVE-2017-20189
epss	0.03376	https://api.first.org/data/v1/epss?cve=CVE-2017-20189
cvssv3.1	9.8	https://clojure.atlassian.net/browse/CLJ-2204
generic_textual	CRITICAL	https://clojure.atlassian.net/browse/CLJ-2204
ssvc	Track*	https://clojure.atlassian.net/browse/CLJ-2204
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-jgxc-8mwq-9xqw
cvssv3.1	9.8	https://github.com/clojure/clojure
generic_textual	CRITICAL	https://github.com/clojure/clojure
cvssv3.1	9.8	https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
generic_textual	CRITICAL	https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
ssvc	Track*	https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
cvssv3.1	9.8	https://github.com/frohoff/ysoserial/pull/68/files
generic_textual	CRITICAL	https://github.com/frohoff/ysoserial/pull/68/files
ssvc	Track*	https://github.com/frohoff/ysoserial/pull/68/files
cvssv3.1	9.8	https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ
generic_textual	CRITICAL	https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ
cvssv3.1	9.8	https://hackmd.io/%40fe1w0/HyefvRQKp
generic_textual	CRITICAL	https://hackmd.io/%40fe1w0/HyefvRQKp
ssvc	Track*	https://hackmd.io/%40fe1w0/HyefvRQKp
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2017-20189
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2017-20189
cvssv3.1	9.8	https://security.netapp.com/advisory/ntap-20241108-0002
generic_textual	CRITICAL	https://security.netapp.com/advisory/ntap-20241108-0002
cvssv3.1	9.8	https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378
generic_textual	CRITICAL	https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378
ssvc	Track*	https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2017-20189
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-20189
		https://github.com/clojure/clojure
		https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ
		https://security.netapp.com/advisory/ntap-20241108-0002
271674c9b484d798484d134a5ac40a6df15d3ac3		https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
CLJ-2204		https://clojure.atlassian.net/browse/CLJ-2204
CVE-2017-20189		https://nvd.nist.gov/vuln/detail/CVE-2017-20189
files		https://github.com/frohoff/ysoserial/pull/68/files
GHSA-jgxc-8mwq-9xqw		https://github.com/advisories/GHSA-jgxc-8mwq-9xqw
HyefvRQKp		https://hackmd.io/%40fe1w0/HyefvRQKp
SNYK-JAVA-ORGCLOJURE-5740378		https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://clojure.atlassian.net/browse/CLJ-2204

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-05-08T15:59:16Z/ Found at https://clojure.atlassian.net/browse/CLJ-2204

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/clojure/clojure

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-05-08T15:59:16Z/ Found at https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/frohoff/ysoserial/pull/68/files

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-05-08T15:59:16Z/ Found at https://github.com/frohoff/ysoserial/pull/68/files

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://hackmd.io/%40fe1w0/HyefvRQKp

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-05-08T15:59:16Z/ Found at https://hackmd.io/%40fe1w0/HyefvRQKp

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-20189

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20241108-0002

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-05-08T15:59:16Z/ Found at https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378

Exploit Prediction Scoring System (EPSS)

Percentile	0.87647
EPSS Score	0.03376
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:55:16.824148+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2017/20xxx/CVE-2017-20189.json	38.6.0