GHSA-vr64-r9qj-h27f

Suggest an improvement
Source
https://github.com/advisories/GHSA-vr64-r9qj-h27f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vr64-r9qj-h27f/GHSA-vr64-r9qj-h27f.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vr64-r9qj-h27f
Aliases
Related
Published
2024-02-29T03:33:18Z
Modified
2024-09-11T06:13:21.528259Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service
Details

Any program on the JVM may read serialized objects via java.io.ObjectInputStream.readObject(). Reading serialized objects from an untrusted source is inherently unsafe (this affects any program running on any version of the JVM) and is a prerequisite for this vulnerability.

Clojure classes that represent infinite seqs (Cycle, infinite Repeat, and Iterate) do not define hashCode() and use the parent ASeq.hashCode(), which walks the seq to compute the hash, yielding an infinite loop. Classes like java.util.HashMap call hashCode() on keys during deserialization of a serialized map.

The exploit requires:

  1. Crafting a serialized HashMap object with an infinite seq object as a key.
  2. Sending that to a program that reads serialized objects via ObjectInputStream.readObject().

This will cause the program to enter an infinite loop on the reading thread and thus a denial of service (DoS).

The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8.

Database specific
{
    "nvd_published_at": "2024-02-29T02:15:09Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-01T16:56:52Z"
}
References

Affected packages

Maven / org.clojure:clojure

Package

Name
org.clojure:clojure
View open source insights on deps.dev
Purl
pkg:maven/org.clojure/clojure

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.7.0
Fixed
1.11.2

Affected versions

1.*

1.7.0
1.8.0-alpha1
1.8.0-alpha2
1.8.0-alpha3
1.8.0-alpha4
1.8.0-alpha5
1.8.0-beta1
1.8.0-beta2
1.8.0-RC1
1.8.0-RC2
1.8.0-RC3
1.8.0-RC4
1.8.0-RC5
1.8.0
1.9.0-alpha1
1.9.0-alpha2
1.9.0-alpha3
1.9.0-alpha4
1.9.0-alpha5
1.9.0-alpha6
1.9.0-alpha7
1.9.0-alpha8
1.9.0-alpha9
1.9.0-alpha10
1.9.0-alpha11
1.9.0-alpha12
1.9.0-alpha13
1.9.0-alpha14
1.9.0-alpha15
1.9.0-alpha16
1.9.0-alpha17
1.9.0-alpha18
1.9.0-alpha19
1.9.0-alpha20
1.9.0-beta1
1.9.0-beta2
1.9.0-beta3
1.9.0-beta4
1.9.0-RC1
1.9.0-RC2
1.9.0
1.10.0-alpha1
1.10.0-alpha2
1.10.0-alpha3
1.10.0-alpha4
1.10.0-alpha5
1.10.0-alpha6
1.10.0-alpha7
1.10.0-alpha8
1.10.0-alpha9
1.10.0-beta1
1.10.0-beta2
1.10.0-beta3
1.10.0-beta4
1.10.0-beta5
1.10.0-beta6
1.10.0-beta7
1.10.0-beta8
1.10.0-RC1
1.10.0-RC2
1.10.0-RC3
1.10.0-RC4
1.10.0-RC5
1.10.0
1.10.1-beta1
1.10.1-beta2
1.10.1-beta3
1.10.1-RC1
1.10.1
1.10.2-alpha1
1.10.2-alpha2
1.10.2-alpha3
1.10.2-alpha4
1.10.2-rc1
1.10.2-rc2
1.10.2-rc3
1.10.2
1.10.3-rc1
1.10.3
1.11.0-alpha1
1.11.0-alpha2
1.11.0-alpha3
1.11.0-alpha4
1.11.0-beta1
1.11.0-rc1
1.11.0
1.11.1-rc1
1.11.1

Maven / org.clojure:clojure

Package

Name
org.clojure:clojure
View open source insights on deps.dev
Purl
pkg:maven/org.clojure/clojure

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.12.0-alpha1
Fixed
1.12.0-alpha9

Affected versions

1.*

1.12.0-alpha1
1.12.0-alpha2
1.12.0-alpha3
1.12.0-alpha4
1.12.0-alpha5
1.12.0-alpha6
1.12.0-alpha7
1.12.0-alpha8