We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-43383

Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator



Description

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.

Reserved 2024-08-10 | Published 2024-10-31 | Updated 2024-10-31 | Assigner apache


HIGH: 8.0CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

4.8.0-beta00005
affected

Credits

Summ3r, Vidar-Team reporter

Apache Lucene remediation developer

References

lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh vendor-advisory

cve.org (CVE-2024-43383)

nvd.nist.gov (CVE-2024-43383)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-43383

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.

© Copyright 2024 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.