GHSA-g643-xq6w-r67c

Suggest an improvement
Source
https://github.com/advisories/GHSA-g643-xq6w-r67c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-g643-xq6w-r67c/GHSA-g643-xq6w-r67c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g643-xq6w-r67c
Aliases
  • CVE-2024-45772
Published
2024-09-30T09:30:47Z
Modified
2024-09-30T22:12:16.290324Z
Severity
  • 5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.
Details

This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected.

Users are recommended to upgrade to version 9.12.0, which fixes the issue.

Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.

References

Affected packages

Maven / org.apache.lucene:lucene-replicator

Package

Name
org.apache.lucene:lucene-replicator
View open source insights on deps.dev
Purl
pkg:maven/org.apache.lucene/lucene-replicator

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
9.12.0

Affected versions

4.*

4.4.0
4.5.0
4.5.1
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.8.0
4.8.1
4.9.0
4.9.1
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4

5.*

5.0.0
5.1.0
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5

6.*

6.0.0
6.0.1
6.1.0
6.2.0
6.2.1
6.3.0
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6

7.*

7.0.0
7.0.1
7.1.0
7.2.0
7.2.1
7.3.0
7.3.1
7.4.0
7.5.0
7.6.0
7.7.0
7.7.1
7.7.2
7.7.3

8.*

8.0.0
8.1.0
8.1.1
8.2.0
8.3.0
8.3.1
8.4.0
8.4.1
8.5.0
8.5.1
8.5.2
8.6.0
8.6.1
8.6.2
8.6.3
8.7.0
8.8.0
8.8.1
8.8.2
8.9.0
8.10.0
8.10.1
8.11.0
8.11.1
8.11.2
8.11.3
8.11.4

9.*

9.0.0
9.1.0
9.2.0
9.3.0
9.4.0
9.4.1
9.4.2
9.5.0
9.6.0
9.7.0
9.8.0
9.9.0
9.9.1
9.9.2
9.10.0
9.11.0
9.11.1