Thank you David for taking the time to answer, please find below public links to those Sonatype. I hope it helps. sonatype-2025-002050: https://issues.oss-fuzz.com/issues/403330010 sonatype-2025-002284: https://issues.oss-fuzz.com/issues/407477665
With Regards, Gregoire Gueret On 2025/09/01 21:36:57 Dawid Weiss wrote: > Is there any public reference to these "vulnerabilities" that we could look > at? Like many such reports, > they seem to be highly... theoretical. For example, this is what I found, > looking around the Web - > > https://osv.dev/vulnerability/OSV-2023-696 > > if you click on the affected range of commits... it makes no sense at all. > > A fuzzifier is great but without a reasonable postmortem on a crash and > perhaps a more human-palatable reproducer, it's fairly useless. > > Dawid > > On Mon, Sep 1, 2025 at 7:49 PM Grégoire Guéret > <[email protected]> wrote: > > > Hello Lucene community team, > > > > As most tech companies do, our security department is performing automated > > vulnerability scans. They identified 2 similar Sonartypes on Lucene, on > > all versions (as far as I know). > > > > I've been wondering if the Lucene team plans to fix them, but could not > > find the information on Lucene's website. Any insight or pointers to > > the proper page would be appreciated. > > > > *sonatype-2025-002050* > > *The lucene package is vulnerable due to an Improper Check for Unusual or > > Exceptional Conditions. The clone() method in the CharTermAttributeImpl > > class does not properly handle exceptional events that may occur during the > > deep clone process. A remote attacker can exploit this vulnerability by > > supplying a crafted termBuffer that, upon being processed by the clone() > > function, will result in an unhandled SecurityException, potentially > > leading to Denial of Service (DoS) or other unexpected behaviors.* > > > > *sonatype-2025-002284* > > *The lucene package is vulnerable due to an Improper Check for Unusual or > > Exceptional Conditions. The normalize() method in the SoraniNormalizer > > class does not properly validate the input buffer and length parameter used > > to normalize Sorani text. A remote attacker can exploit this vulnerability > > by supplying a specially crafted text that results in an invalid value for > > the string buffer or length parameters. This action will cause an > > unexpected exception to be thrown when the delete() operation is performed, > > potentially leading to a Denial of Service (DoS) condition or other > > unexpected behaviors.* > > > > With Regards, > > Gregoire Gueret > > >
