CVE-2024-43383
Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator
Severity Score
8.0
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.
This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
*Credits:
Summ3r, Vidar-Team, Apache Lucene
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-08-10 CVE Reserved
- 2024-10-31 CVE Published
- 2024-11-01 CVE Updated
- 2024-11-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh | 2024-10-31 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Lucene.Net.Replicator Search vendor "Apache Software Foundation" for product "Apache Lucene.Net.Replicator" | >= 4.8.0-beta00005 <= 4.8.0-beta00016 Search vendor "Apache Software Foundation" for product "Apache Lucene.Net.Replicator" and version " >= 4.8.0-beta00005 <= 4.8.0-beta00016" | en |
Affected
| ||||||