CVE-2024-43383: Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator
First published: Thu Oct 31 2024(Updated: )
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| nuget/Lucene.Net.Replicator | >=4.8.0-beta00005<4.8.0-beta00017 | 4.8.0-beta00017 |
| Apache Lucene | =4.8.0-beta00005 | |
| Apache Lucene | =4.8.0-beta00006 | |
| Apache Lucene | =4.8.0-beta00007 | |
| Apache Lucene | =4.8.0-beta00008 | |
| Apache Lucene | =4.8.0-beta00009 | |
| Apache Lucene | =4.8.0-beta00010 | |
| Apache Lucene | =4.8.0-beta00011 | |
| Apache Lucene | =4.8.0-beta00012 | |
| Apache Lucene | =4.8.0-beta00013 | |
| Apache Lucene | =4.8.0-beta00014 | |
| Apache Lucene | =4.8.0-beta00015 | |
| Apache Lucene | =4.8.0-beta00016 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh
- https://nvd.nist.gov/vuln/detail/CVE-2024-43383
- https://github.com/apache/lucenenet/commit/1f61dd0fdb465e17141a79d22eb2f2bc02059acc
- https://github.com/advisories/GHSA-2qw8-ppr5-m96c (Advisory)
- http://www.openwall.com/lists/oss-security/2024/10/31/2
Frequently Asked Questions
What is the severity of CVE-2024-43383?
CVE-2024-43383 has been classified as a security vulnerability due to the deserialization of untrusted data.
Which versions of Apache Lucene.Net are affected by CVE-2024-43383?
CVE-2024-43383 affects Apache Lucene.Net versions 4.8.0-beta00005 through 4.8.0-beta00016.
How do I fix CVE-2024-43383?
To mitigate CVE-2024-43383, upgrade to Apache Lucene.Net version 4.8.0-beta00017 or later.
What type of vulnerability is CVE-2024-43383?
CVE-2024-43383 is categorized as a deserialization of untrusted data vulnerability.
What can happen if CVE-2024-43383 is exploited?
Exploitation of CVE-2024-43383 could allow an attacker to execute arbitrary code or manipulate data between a replication client and server.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-43383
- agent/first-publish-date
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2qw8-ppr5-m96c
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/severity
- agent/tags
- agent/softwarecombine
- agent/event
- collector/github-advisory
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/nuget
- vendor/apache
- canonical/apache lucene
- version/apache lucene/4.8.0-beta00005
- version/apache lucene/4.8.0-beta00006
- version/apache lucene/4.8.0-beta00007
- version/apache lucene/4.8.0-beta00008
- version/apache lucene/4.8.0-beta00009
- version/apache lucene/4.8.0-beta00010
- version/apache lucene/4.8.0-beta00011
- version/apache lucene/4.8.0-beta00012
- version/apache lucene/4.8.0-beta00013
- version/apache lucene/4.8.0-beta00014
- version/apache lucene/4.8.0-beta00015
- version/apache lucene/4.8.0-beta00016