Description

Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such asĀ -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.

INFO

Published Date :

2024-09-30T08:51:30.950Z

Last Modified :

2024-12-12T16:22:31.991Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-45772 vulnerability.

Vendors Products
Apache
  • Lucene Replicator
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-45772.

URL Resource
http://www.openwall.com/lists/oss-security/2024/09/29/1 cve-icon
https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact