Summ3R

**Name of the Vulnerable Software and Affected Versions** Apache Lucene.Net.Replicator versions 4.8.0-beta00005 through 4.8.0-beta00016 **Description** This issue is related to the deserialization of untrusted data, which can result in remote code execution or other potential unauthorized access. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. **Recommendations** To resolve the issue, upgrade to version 4.8.0-beta00017, which fixes the issue. As a temporary workaround, consider restricting access to the vulnerable Replicator library to minimize the risk of exploitation. Avoid using the vulnerable library until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Apache Lucene versions 4.4.0 through 9.11.0 Description: The issue is related to the deserialization of untrusted data in the Apache Lucene Replicator. It affects the deprecated org.apache.lucene.replicator.http package, but not the org.apache.lucene.replicator.nrt package. The deserialization can only be triggered if users actively deploy a network-accessible implementation and a corresponding client using a HTTP library that uses the API. Recommendations: For versions 4.4.0 through 9.11.0, upgrade to version 9.12.0 to fix the issue. As a temporary workaround, consider using Java serialization filters, such as `-Djdk.serialFilter='!*'` on the command line, to mitigate the issue on vulnerable versions without impacting functionality.