SNYK-JAVA-ORGCLOJURE-5740378
## Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data. If a server can deserialize objects from an untrusted source, it is possible to craft a serialized object that runs arbitrary code on deserialization. **Note:** The attacker would likely need to be in a position with elevated trust in order to pass a malicious payload and the attack depends on conditions that are not entirely under his control. ## Remediation Upgrade `org.clojure:clojure` to version 1.9.0 or higher. ## References - [GitHub Commit](https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3) - [Jira Issue](https://clojure.atlassian.net/browse/CLJ-2204) - [PoC](https://github.com/frohoff/ysoserial/pull/68/files)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0, 1.2.0 |
Timeline
- Jun 26, 2023 CVE Updated
- Jun 26, 2023 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378 advisory
- https://learn.snyk.io/lesson/insecure-deserialization/ technical
- https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3 patch
- https://clojure.atlassian.net/browse/CLJ-2204 technical
- https://github.com/frohoff/ysoserial/pull/68/files patch