Paul Irwin

Name of the Vulnerable Software and Affected Versions: Apache Lucene versions 4.4.0 through 9.11.0 Description: The issue is related to the deserialization of untrusted data in the Apache Lucene Replicator. It affects the deprecated org.apache.lucene.replicator.http package, but not the org.apache.lucene.replicator.nrt package. The deserialization can only be triggered if users actively deploy a network-accessible implementation and a corresponding client using a HTTP library that uses the API. Recommendations: For versions 4.4.0 through 9.11.0, upgrade to version 9.12.0 to fix the issue. As a temporary workaround, consider using Java serialization filters, such as `-Djdk.serialFilter='!*'` on the command line, to mitigate the issue on vulnerable versions without impacting functionality.