CVE-2017-20189
CRITICALClojure <1.9.0 - Code Injection
Title source: llmDescription
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
References (6)
Scores
CVSS v3
9.8
EPSS
0.0338
EPSS Percentile
87.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-502
Status
published
Affected Products (2)
clojure/clojure
< 1.9.0
org.clojure/clojure
< 1.9.0Maven
Timeline
Published
Jan 22, 2024
Tracked Since
Feb 18, 2026