cve/2017/CVE-2017-20189.md

### [CVE-2017-20189](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-20189)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.

### POC

#### Reference
- https://clojure.atlassian.net/browse/CLJ-2204
- https://github.com/frohoff/ysoserial/pull/68/files
- https://hackmd.io/@fe1w0/HyefvRQKp
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378

#### Github
- https://github.com/fe1w0/fe1w0
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2017-20189](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-20189)`
			`![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			`In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.`

			`### POC`

			`#### Reference`
			`- https://clojure.atlassian.net/browse/CLJ-2204`
			`- https://github.com/frohoff/ysoserial/pull/68/files`
			`- https://hackmd.io/@fe1w0/HyefvRQKp`
			`- https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378`

			`#### Github`
			`- https://github.com/fe1w0/fe1w0`