You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Apache Lucene through 7.x and 8.x before 8.10 is vulnerable to a denial of service. By sending a specific regular expression query, a remote attacker could exploit this vulnerability to consume all available CPU resources.
WS-2021-0646 - Medium Severity Vulnerability
Vulnerable Libraries - lucene-analyzers-common-8.8.1.jar, lucene-core-8.8.1.jar, lucene-queryparser-8.8.1.jar
lucene-analyzers-common-8.8.1.jar
Additional Analyzers
Library home page: https://lucene.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/lucene/lucene-analyzers-common/8.8.1/lucene-analyzers-common-8.8.1.jar
Dependency Hierarchy:
lucene-core-8.8.1.jar
Apache Lucene Java Core
Library home page: https://lucene.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/lucene/lucene-core/8.8.1/lucene-core-8.8.1.jar
Dependency Hierarchy:
lucene-queryparser-8.8.1.jar
Lucene QueryParsers module
Library home page: https://lucene.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/lucene/lucene-queryparser/8.8.1/lucene-queryparser-8.8.1.jar
Dependency Hierarchy:
Found in HEAD commit: 1068bf0e7ce0b9a2b2ddff85d8b0c78c394237f8
Found in base branch: master
Vulnerability Details
Apache Lucene through 7.x and 8.x before 8.10 is vulnerable to a denial of service. By sending a specific regular expression query, a remote attacker could exploit this vulnerability to consume all available CPU resources.
Publish Date: 2021-05-11
URL: WS-2021-0646
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://exchange.xforce.ibmcloud.com/vulnerabilities/216835
Release Date: 2021-05-11
Fix Resolution (org.apache.lucene:lucene-core): 8.10.0
Direct dependency fix Resolution (org.apache.lucene:lucene-analyzers-common): 8.10.0
The text was updated successfully, but these errors were encountered: