Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNjQzLXhxNnctcjY3Y84AA_3q
Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.
This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0.
The deprecated org.apache.lucene.replicator.http package is affected.
The org.apache.lucene.replicator.nrt package is not affected.
Users are recommended to upgrade to version 9.12.0, which fixes the issue.
Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
Permalink: https://github.com/advisories/GHSA-g643-xq6w-r67cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNjQzLXhxNnctcjY3Y84AA_3q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 13 days ago
Updated: 13 days ago
CVSS Score: 5.1
CVSS vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
Identifiers: GHSA-g643-xq6w-r67c, CVE-2024-45772
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-45772
- https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo
- https://github.com/advisories/GHSA-g643-xq6w-r67c
Affected Packages
maven:org.apache.lucene:lucene-replicator
Dependent packages: 6Dependent repositories: 15
Downloads:
Affected Version Ranges: >= 4.4.0, < 9.12.0
Fixed in: 9.12.0
All affected versions: 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.0.0, 7.0.1, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1, 8.5.0, 8.5.1, 8.5.2, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.7.0, 8.8.0, 8.8.1, 8.8.2, 8.9.0, 8.10.0, 8.10.1, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.9.1, 9.9.2, 9.10.0, 9.11.0, 9.11.1
All unaffected versions: