Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
History

Thu, 12 Dec 2024 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality. Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Fri, 04 Oct 2024 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache lucene
CPEs cpe:2.3:a:apache:lucene:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache lucene

Tue, 01 Oct 2024 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 30 Sep 2024 09:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
Title Apache Lucene Replicator: Security Vulnerability in Lucene Replicator - Deserialization Issue
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-09-30T08:51:30.950Z

Updated: 2024-12-12T16:22:31.991Z

Reserved: 2024-09-07T02:19:39.340Z

Link: CVE-2024-45772

cve-icon Vulnrichment

Updated: 2024-09-30T09:03:25.087Z

cve-icon NVD

Status : Modified

Published: 2024-09-30T09:15:02.670

Modified: 2024-12-12T17:15:10.457

Link: CVE-2024-45772

cve-icon Redhat

No data.