|
|
Message-ID: <d356cd8e-75f9-2a92-a42b-cc7385d13c05@apache.org>
Date: Thu, 02 Jul 2026 23:00:31 +0000
From: Paul Irwin <paulirwin@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-47896: Apache Lucene.Net: Unauthenticated arbitrary file
read on the Lucene.Net.Replicator replication server
Severity:
Affected versions:
- Apache Lucene.Net (Lucene.Net.Replicator) 4.8.0-beta00005 before 4.8.0-beta00018
Description:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).
This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 through 4.8.0-beta00017.
Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.
Credit:
Daniel Cervera (reporter)
Paul Irwin (coordinator)
Shad Storhaug (remediation reviewer)
References:
https://lucenenet.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-47896
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.