CVE-2024-22871

Name of the Vulnerable Software and Affected Versions Clojure versions 1.12.0-alpha5 through 1.20 Clojure versions 1.7.0 through 1.11.1

Description The issue is related to the deserialization of untrusted data, which can allow an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn 5920 function. Any program on the JVM may read serialized objects via java.io.ObjectInputStream.readObject(), and reading serialized objects from an untrusted source is inherently unsafe. The exploit requires crafting a serialized HashMap object with an infinite seq object as a key and sending it to a program that reads serialized objects via ObjectInputStream.readObject(). This will cause the program to enter an infinite loop on the reading thread and thus a denial of service (DoS).

Recommendations For Clojure versions 1.12.0-alpha5 through 1.20, upgrade to a version that is not affected by this issue. For Clojure versions 1.7.0 through 1.11.1, consider disabling the clojure.core$partial$fn 5920 function as a temporary workaround until a patch is available. For Confluence Data Center and Server customers, upgrade to the latest version or one of the specified supported fixed versions: