Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.
This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0.
The deprecated org.apache.lucene.replicator.http package is affected.
The org.apache.lucene.replicator.nrt package is not affected.
Users are recommended to upgrade to version 9.12.0, which fixes the issue.
Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
Metrics
Affected Vendors & Products
References
History
Fri, 04 Oct 2024 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache lucene |
|
CPEs | cpe:2.3:a:apache:lucene:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache lucene |
Tue, 01 Oct 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 30 Sep 2024 09:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality. | |
Title | Apache Lucene Replicator: Security Vulnerability in Lucene Replicator - Deserialization Issue | |
Weaknesses | CWE-502 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-09-30T08:51:30.950Z
Updated: 2024-10-01T14:31:27.523Z
Reserved: 2024-09-07T02:19:39.340Z
Link: CVE-2024-45772
Vulnrichment
Updated: 2024-10-01T14:30:56.133Z
NVD
Status : Analyzed
Published: 2024-09-30T09:15:02.670
Modified: 2024-10-04T13:20:58.327
Link: CVE-2024-45772
Redhat
No data.