mirror of
https://github.com/0xMarcio/cve.git
synced 2025-05-06 02:31:38 +00:00
806 B
806 B
CVE-2017-20189
Description
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
POC
Reference
- https://clojure.atlassian.net/browse/CLJ-2204
- https://github.com/frohoff/ysoserial/pull/68/files
- https://hackmd.io/@fe1w0/HyefvRQKp
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378