CVE-2017-20189: 
Java vulnerability analysis and mitigation

CVE-2017-20189 affects Clojure versions before 1.9.0, where classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This vulnerability is particularly relevant in scenarios where a server deserializes untrusted objects. The vulnerability was disclosed on January 22, 2024, and received a CVSS v3.1 base score of 9.8 (Critical) (NVD, CVE).

The vulnerability is classified as a Deserialization of Untrusted Data (CWE-502) issue. When a server deserializes objects from an untrusted source, an attacker can construct a serialized object that executes arbitrary code during the deserialization process. The vulnerability affects the core functionality of Clojure's serialization mechanism (Snyk).

The vulnerability can lead to a complete compromise of system confidentiality, integrity, and availability. If successfully exploited, it allows attackers to execute arbitrary code on the target system, potentially resulting in total loss of system protection. The CVSS scoring indicates high impact ratings for confidentiality, integrity, and availability (NVD).

The primary mitigation is to upgrade Clojure to version 1.9.0 or higher, which includes a fix that disables serialization of proxy classes. The fix was implemented through a commit that adds explicit checks to prevent serialization and deserialization of proxy classes (GitHub).