### Key Information - **Vulnerability ID**: CVE-2024-45772 - **Vulnerability Name**: Apache Lucene Replicator: Security Vulnerability in Lucene Replicator - Deserialization Issue - **Release Platform**: dev@lucene.apache.org - **Reporter**: Robert Muir - **Report Date**: September 29, 2024 - **Severity**: Low - **Affected Versions**: - Apache Lucene Replicator 4.4.0 before 9.12.0 - **Description**: - Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. - Affects the replicator module of Apache Lucene, from version 4.4.0 up to (but not including) 9.12.0. - Impacts the `org.apache.lucene.replicator.http` package. - Does **not** affect the `org.apache.lucene.replicator.nrt` package. - **Recommendation**: - Upgrade to version 9.12.0 to fix the issue. - The command-line parameter `-Djdk.serialFilter="!"` can be used as a mitigation on affected versions without impacting functionality. - **Contributors**: - Summ3r from Vidar-Team (finder) - Paul Irwin from Apache Lucene.NET (coordinator) - **Reference Links**: - [Apache Lucene](https://lucene.apache.org/) - [CVE-2024-45772](https://www.cve.org/CVERecord?id=CVE-2024-45772) ### Additional Information - **Unsubscribe**: dev-unsubscribe@lucene.apache.org - **Additional Help**: dev-help@lucene.apache.org - **Service Support**: users@infra.apache.org