CVE-2024-43383

high-risk
Published 2024-10-31

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.

Do I need to act?

~
4.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10 High
ADJACENT_NETWORK / LOW complexity

Affected Products (12)

Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net
Lucene.Net

Affected Vendors

Apache

References (2)

Mailing List https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh
Mailing List http://www.openwall.com/lists/oss-security/2024/10/31/2
50
/ 100
high-risk
Severity 25/34 · High
Exploitability 8/34 · Low
Exposure 17/34 · Moderate