CVE-2024-45772

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45772
Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.

8.0 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/09/29/1 Third Party Advisory
https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo Mailing List Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:lucene_replicator:*:*:*:*:*:*:*:*
History

15 May 2025, 16:53

Type Values Removed Values Added
First Time Apache lucene Replicator
References () http://www.openwall.com/lists/oss-security/2024/09/29/1 - () http://www.openwall.com/lists/oss-security/2024/09/29/1 - Third Party Advisory
CPE cpe:2.3:a:apache:lucene:*:*:*:*:*:*:*:* cpe:2.3:a:apache:lucene_replicator:*:*:*:*:*:*:*:*

12 Dec 2024, 17:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/09/29/1 -
Summary Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality. Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.

04 Oct 2024, 13:20

Type Values Removed Values Added
References () https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo - () https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo - Mailing List, Mitigation, Vendor Advisory
CWE CWE-502
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.0
CPE cpe:2.3:a:apache:lucene:*:*:*:*:*:*:*:*
First Time Apache
Apache lucene

30 Sep 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-30 09:15

Updated : 2025-05-15 16:53

NVD link : CVE-2024-45772

Mitre link : CVE-2024-45772

JSON object : View

Products Affected

apache

  • lucene_replicator
CWE
CWE-502

Deserialization of Untrusted Data