Deserialization of Untrusted Data Vulnerability Affects Apache Lucene.NET's Replicator Library
CVE-2024-43383

8.1HIGH

Key Information:

Vendor

Apache

Vendor
CVE Published:
31 October 2024

What is CVE-2024-43383?

A deserialization of untrusted data vulnerability exists in the Apache Lucene.NET's Replicator library. This issue arises when an attacker can intercept communication between a replication client and server or influence the target replication node's URL. By providing a specially-crafted JSON response, the attacker can cause the system to deserialize this data as an attacker-controlled exception type, potentially leading to remote code execution or other unauthorized access incidents. It is crucial for users to upgrade to version 4.8.0-beta00017 to mitigate this risk.

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.