{"id":"CVE-2017-20189","details":"In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.","aliases":["GHSA-jgxc-8mwq-9xqw"],"modified":"2026-04-10T04:00:01.377232Z","published":"2024-01-22T06:15:07.563Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241108-0002/"},{"type":"FIX","url":"https://clojure.atlassian.net/browse/CLJ-2204"},{"type":"FIX","url":"https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3"},{"type":"FIX","url":"https://github.com/frohoff/ysoserial/pull/68/files"},{"type":"FIX","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378"},{"type":"EVIDENCE","url":"https://hackmd.io/%40fe1w0/HyefvRQKp"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/clojure/clojure","events":[{"introduced":"0"},{"fixed":"841fa60b41bc74367fb16ec65d025ea5bde7a617"},{"fixed":"271674c9b484d798484d134a5ac40a6df15d3ac3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.9.0"}]}}],"versions":["clojure-1.3.0","clojure-1.3.0-RC0","clojure-1.3.0-alpha5","clojure-1.3.0-alpha6","clojure-1.3.0-alpha7","clojure-1.3.0-alpha8","clojure-1.3.0-beta1","clojure-1.3.0-beta2","clojure-1.3.0-beta3","clojure-1.4.0","clojure-1.4.0-alpha1","clojure-1.4.0-alpha2","clojure-1.4.0-alpha3","clojure-1.4.0-alpha4","clojure-1.4.0-alpha5","clojure-1.4.0-beta1","clojure-1.4.0-beta2","clojure-1.4.0-beta3","clojure-1.4.0-beta4","clojure-1.4.0-beta5","clojure-1.4.0-beta6","clojure-1.4.0-beta7","clojure-1.5.0","clojure-1.5.0-RC1","clojure-1.5.0-RC14","clojure-1.5.0-RC15","clojure-1.5.0-RC16","clojure-1.5.0-RC17","clojure-1.5.0-RC2","clojure-1.5.0-RC3","clojure-1.5.0-RC4","clojure-1.5.0-alpha1","clojure-1.5.0-alpha2","clojure-1.5.0-alpha3","clojure-1.5.0-alpha4","clojure-1.5.0-alpha5","clojure-1.5.0-alpha6","clojure-1.5.0-alpha7","clojure-1.5.0-beta1","clojure-1.5.0-beta10","clojure-1.5.0-beta11","clojure-1.5.0-beta12","clojure-1.5.0-beta13","clojure-1.5.0-beta2","clojure-1.5.0-beta7","clojure-1.5.0-beta8","clojure-1.5.1","clojure-1.6.0","clojure-1.6.0-RC1","clojure-1.6.0-RC2","clojure-1.6.0-RC3","clojure-1.6.0-RC4","clojure-1.6.0-alpha1","clojure-1.6.0-alpha2","clojure-1.6.0-alpha3","clojure-1.6.0-beta1","clojure-1.6.0-beta2","clojure-1.7.0","clojure-1.7.0-RC1","clojure-1.7.0-RC2","clojure-1.7.0-alpha3","clojure-1.7.0-alpha4","clojure-1.7.0-alpha5","clojure-1.7.0-alpha6","clojure-1.7.0-beta1","clojure-1.7.0-beta2","clojure-1.7.0-beta3","clojure-1.8.0","clojure-1.8.0-RC1","clojure-1.8.0-RC2","clojure-1.8.0-RC3","clojure-1.8.0-RC4","clojure-1.8.0-RC5","clojure-1.8.0-alpha1","clojure-1.8.0-alpha2","clojure-1.8.0-alpha4","clojure-1.8.0-alpha5","clojure-1.8.0-beta1","clojure-1.8.0-beta2","clojure-1.9.0-RC1","clojure-1.9.0-RC2","clojure-1.9.0-alpha1","clojure-1.9.0-alpha10","clojure-1.9.0-alpha11","clojure-1.9.0-alpha12","clojure-1.9.0-alpha13","clojure-1.9.0-alpha14","clojure-1.9.0-alpha15","clojure-1.9.0-alpha16","clojure-1.9.0-alpha17","clojure-1.9.0-alpha19","clojure-1.9.0-alpha20","clojure-1.9.0-alpha3","clojure-1.9.0-alpha4","clojure-1.9.0-alpha5","clojure-1.9.0-alpha6","clojure-1.9.0-alpha8","clojure-1.9.0-alpha9","clojure-1.9.0-beta1","clojure-1.9.0-beta2","clojure-1.9.0-beta3","clojure-1.9.0-beta4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-20189.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}