Apache Lucene.NET Replicator 4.8.0-beta00005-16: DoUD RCE via JSON
CVE-2024-43383 Published on October 31, 2024
Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.
This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
Vulnerability Analysis
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2024-43383 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2024-43383
Want to know whenever a new CVE is published for Apache Lucene Net? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Lucene.Net.Replicator:- Version 4.8.0-beta00005, <= 4.8.0-beta00016 is affected.
- Version 4.8.0-beta00005, <= 4.8.0-beta00016 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.