Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.
This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
Metrics
Affected Vendors & Products
References
History
Tue, 11 Feb 2025 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache lucene.net
|
|
CPEs | cpe:2.3:a:apache:lucene.net:4.8.0:beta00005:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00006:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00007:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00008:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00009:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00010:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00011:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00012:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00013:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00014:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00015:*:*:*:*:*:* cpe:2.3:a:apache:lucene.net:4.8.0:beta00016:*:*:*:*:*:* |
|
Vendors & Products |
Apache lucene.net
|
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 31 Oct 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache lucene |
|
CPEs | cpe:2.3:a:apache:lucene:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache lucene |
|
Metrics |
ssvc
|
Thu, 31 Oct 2024 10:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue. | |
Title | Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator | |
Weaknesses | CWE-502 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2024-10-31T13:52:47.181Z
Reserved: 2024-08-10T16:38:34.946Z
Link: CVE-2024-43383

Updated: 2024-10-31T10:03:23.483Z

Status : Analyzed
Published: 2024-10-31T10:15:04.293
Modified: 2025-02-11T16:13:52.167
Link: CVE-2024-43383

No data.