In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Clojure | Clojure | * | 1.9.0 (excluding) |
Clojure | Ubuntu | bionic | * |
Clojure | Ubuntu | upstream | * |