By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-45772

Remote Code Execution
Affects
Apache Lucene
>=4.4.0 <9.12.0
in
Apache Solr & Lucene
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Lucene is a high-performance, full-text search library written in Java that provides powerful indexing and search capabilities. It is widely used for building search engines and applications that require efficient text retrieval, offering features like ranked searching, phrase queries, and filtering. Lucene enables developers to create scalable and customizable search solutions by indexing structured and unstructured data. It serves as the core search technology for popular search platforms like Elasticsearch and Apache Solr, making it a foundational tool for modern search applications.

A Remote Code Execution (RCE) vulnerability (CVE-2024-45772) has been identified in the Apache Lucene Replicator. This vulnerability allows attackers to deserialize untrusted data.

Per the Open Web Application Security Project (OWASP): "Code Injection occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization."

This issue affects multiple versions below 9.12.0

Details

Module Info

Vulnerability Info

The Apache Lucene Replicator module has a Deserialization of Untrusted Data vulnerability affecting versions 4.4.0 through 9.11.x. Specifically, the deprecated org.apache.lucene.replicator.http package is vulnerable, while the org.apache.lucene.replicator.nrt package remains unaffected.

To resolve this issue, users should upgrade to version 9.12.0, which includes a fix. The vulnerability can only be exploited if users deploy a network-accessible implementation along with a client that utilizes an HTTP library to interact with the affected API (e.g., a custom servlet and HTTPClient).

Credit

  • streichsbaer

Mitigation

Apache Lucene versions below or equal to 8.11.4 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Apache Lucene to 9.12.0 or add -Djdk.serialFilter='!*' option to JVM.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-45772
CVE-2024-52012
CVE-2025-24814
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-45772
PROJECT Affected
Apache Lucene
Versions Affected
>=4.4.0 <9.12.0
Published date
March 21, 2025
≈ Fix date
March 21, 2025
Fixed in
Apache Solr & Lucene NES
Severity
Medium
Category
Remote Code Execution
Sign up for the latest vulnerability alerts fixed in
Apache Solr & Lucene NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.