Fe1W0

**Name of the Vulnerable Software and Affected Versions** Clojure versions 1.12.0-alpha5 through 1.20 Clojure versions 1.7.0 through 1.11.1 **Description** The issue is related to the deserialization of untrusted data, which can allow an attacker to cause a denial of service (DoS) via the `clojure.core$partial$fn 5920` function. Any program on the JVM may read serialized objects via `java.io.ObjectInputStream.readObject()`, and reading serialized objects from an untrusted source is inherently unsafe. The exploit requires crafting a serialized HashMap object with an infinite seq object as a key and sending it to a program that reads serialized objects via `ObjectInputStream.readObject()`. This will cause the program to enter an infinite loop on the reading thread and thus a denial of service (DoS). **Recommendations** For Clojure versions 1.12.0-alpha5 through 1.20, upgrade to a version that is not affected by this issue. For Clojure versions 1.7.0 through 1.11.1, consider disabling the `clojure.core$partial$fn 5920` function as a temporary workaround until a patch is available. For Confluence Data Center and Server customers, upgrade to the latest version or one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.21 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.8 * Confluence Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.1 As a temporary workaround, consider restricting access to the `java.io.ObjectInputStream.readObject()` function to minimize the risk of exploitation.