Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.
This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0.
The deprecated org.apache.lucene.replicator.http package is affected.
The org.apache.lucene.replicator.nrt package is not affected.
Users are recommended to upgrade to version 9.12.0, which fixes the issue.
Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo | Mailing List Mitigation Vendor Advisory |
http://www.openwall.com/lists/oss-security/2024/09/29/1 |
Configurations
History
21 Nov 2024, 09:38
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.1 |
References |
|
04 Oct 2024, 13:20
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.0 |
First Time |
Apache
Apache lucene |
|
CPE | cpe:2.3:a:apache:lucene:*:*:*:*:*:*:*:* | |
References | () https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo - Mailing List, Mitigation, Vendor Advisory |
30 Sep 2024, 12:45
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
30 Sep 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-30 09:15
Updated : 2024-11-21 09:38
NVD link : CVE-2024-45772
Mitre link : CVE-2024-45772
CVE.ORG link : CVE-2024-45772
JSON object : View
Products Affected
apache
- lucene
CWE
CWE-502
Deserialization of Untrusted Data