High severityNVD Advisory· Published Oct 31, 2024· Updated Oct 31, 2024
Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator
CVE-2024-43383
Description
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.
This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Lucene.Net.ReplicatorNuGet | >= 4.8.0-beta00005, < 4.8.0-beta00017 | 4.8.0-beta00017 |
Affected products
2- Range: 4.8.0-beta00005
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-2qw8-ppr5-m96cghsaADVISORY
- lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nhghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-43383ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/10/31/2ghsaWEB
- github.com/apache/lucenenet/commit/1f61dd0fdb465e17141a79d22eb2f2bc02059accghsaWEB
News mentions
0No linked articles in our index yet.