Deserialization of Untrusted Data Vulnerability Affects Apache Lucene.NET's Replicator Library
CVE-2024-43383

8.1HIGH

Key Information:

Vendor: Apache
Status: Lucene.net
Vendor: CVE Published:; 31 October 2024

What is CVE-2024-43383?

A deserialization of untrusted data vulnerability exists in the Apache Lucene.NET's Replicator library. This issue arises when an attacker can intercept communication between a replication client and server or influence the target replication node's URL. By providing a specially-crafted JSON response, the attacker can cause the system to deserialize this data as an attacker-controlled exception type, potentially leading to remote code execution or other unauthorized access incidents. It is crucial for users to upgrade to version 4.8.0-beta00017 to mitigate this risk.

References

https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5z...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2024