Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.
This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 31 Oct 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache lucene |
|
CPEs | cpe:2.3:a:apache:lucene:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache lucene |
|
Metrics |
ssvc
|
Thu, 31 Oct 2024 10:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue. | |
Title | Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator | |
Weaknesses | CWE-502 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-10-31T09:57:29.062Z
Updated: 2024-10-31T13:52:47.181Z
Reserved: 2024-08-10T16:38:34.946Z
Link: CVE-2024-43383
Vulnrichment
Updated: 2024-10-31T10:03:23.483Z
NVD
Status : Awaiting Analysis
Published: 2024-10-31T10:15:04.293
Modified: 2024-11-21T09:35:24.427
Link: CVE-2024-43383
Redhat
No data.