Vulnerabilities > CVE-2024-22399 - Deserialization of Untrusted Data vulnerability in Apache Seata

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

apache

CWE-502

critical

NVD

Published: 2024-09-16

Updated: 2024-09-20

Summary

Deserialization of Untrusted Data vulnerability in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Seata 1.0.0 Apache Seata 1.1.0 Apache Seata 1.2.0 Apache Seata 1.3.0 Apache Seata 1.4.0 Apache Seata 1.4.1 Apache Seata 1.4.2 Apache Seata 1.5.0 Apache Seata 1.5.1 Apache Seata 1.5.2 Apache Seata 1.6.0 Apache Seata 1.6.1 Apache Seata 1.7.0 Apache Seata 1.7.1 Apache Seata 2.0.0	15

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4