Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
History

Fri, 04 Oct 2024 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache lucene
CPEs cpe:2.3:a:apache:lucene:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache lucene

Tue, 01 Oct 2024 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 30 Sep 2024 09:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
Title Apache Lucene Replicator: Security Vulnerability in Lucene Replicator - Deserialization Issue
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-09-30T08:51:30.950Z

Updated: 2024-10-01T14:31:27.523Z

Reserved: 2024-09-07T02:19:39.340Z

Link: CVE-2024-45772

cve-icon Vulnrichment

Updated: 2024-10-01T14:30:56.133Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-30T09:15:02.670

Modified: 2024-10-04T13:20:58.327

Link: CVE-2024-45772

cve-icon Redhat

No data.