Hello Lucene community team, As most tech companies do, our security department is performing automated vulnerability scans. They identified 2 similar Sonartypes on Lucene, on all versions (as far as I know).
I've been wondering if the Lucene team plans to fix them, but could not find the information on Lucene's website. Any insight or pointers to the proper page would be appreciated. *sonatype-2025-002050* *The lucene package is vulnerable due to an Improper Check for Unusual or Exceptional Conditions. The clone() method in the CharTermAttributeImpl class does not properly handle exceptional events that may occur during the deep clone process. A remote attacker can exploit this vulnerability by supplying a crafted termBuffer that, upon being processed by the clone() function, will result in an unhandled SecurityException, potentially leading to Denial of Service (DoS) or other unexpected behaviors.* *sonatype-2025-002284* *The lucene package is vulnerable due to an Improper Check for Unusual or Exceptional Conditions. The normalize() method in the SoraniNormalizer class does not properly validate the input buffer and length parameter used to normalize Sorani text. A remote attacker can exploit this vulnerability by supplying a specially crafted text that results in an invalid value for the string buffer or length parameters. This action will cause an unexpected exception to be thrown when the delete() operation is performed, potentially leading to a Denial of Service (DoS) condition or other unexpected behaviors.* With Regards, Gregoire Gueret
