Headline
GHSA-2qw8-ppr5-m96c: Apache Lucene.Net.Replicator Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.
This issue affects Apache Lucene.NET’s Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-43383
Apache Lucene.Net.Replicator Deserialization of Untrusted Data vulnerability
High severity GitHub Reviewed Published Oct 31, 2024 to the GitHub Advisory Database • Updated Oct 31, 2024
Package
nuget Lucene.Net.Replicator (NuGet)
Affected versions
>= 4.8.0-beta00005, < 4.8.0-beta00017
Patched versions
4.8.0-beta00017
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.
This issue affects Apache Lucene.NET’s Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-43383
- https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh
- apache/lucenenet@1f61dd0
Published to the GitHub Advisory Database
Oct 31, 2024
Last updated
Oct 31, 2024