CVE-2017-20189
First published: Mon Jan 22 2024(Updated: )
Clojure could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially crafted serialized object, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.clojure:clojure | <1.9.0 | 1.9.0 |
| IBM Cognos Analytics | <=12.0.0-12.0.2 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
| Clojure | <1.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hackmd.io/%40fe1w0/HyefvRQKp
- https://clojure.atlassian.net/browse/CLJ-2204
- https://github.com/frohoff/ysoserial/pull/68/files
- https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378
- https://nvd.nist.gov/vuln/detail/CVE-2017-20189
- https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ
- https://github.com/advisories/GHSA-jgxc-8mwq-9xqw (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/280284
- https://www.ibm.com/support/pages/node/7156941 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2017-20189?
CVE-2017-20189 has a high severity rating due to the potential for remote code execution by attackers.
How do I fix CVE-2017-20189?
To fix CVE-2017-20189, upgrade Clojure to version 1.9.0 or later.
Who is affected by CVE-2017-20189?
CVE-2017-20189 affects versions of Clojure prior to 1.9.0, as well as specific versions of IBM Cognos Analytics.
What type of vulnerability is CVE-2017-20189?
CVE-2017-20189 is categorized as an unsafe deserialization vulnerability.
What could an attacker do by exploiting CVE-2017-20189?
An attacker could execute arbitrary code on the system by sending a specially crafted serialized object.
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/author
- agent/remedy
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jgxc-8mwq-9xqw
- alias/CVE-2017-20189
- agent/software-canonical-lookup
- agent/event
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/references
- agent/severity
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/maven
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.2
- version/ibm cognos analytics/11.2.0-11.2.4 fp3
- vendor/clojure
- canonical/clojure