Skip to content

Apache Seata Deserialization of Untrusted Data vulnerability

High severity GitHub Reviewed Published Sep 16, 2024 to the GitHub Advisory Database • Updated Sep 16, 2024

Package

maven org.apache.seata:seata-core (Maven)

Affected versions

>= 1.0.0, < 1.8.1
= 2.0.0

Patched versions

1.8.1
2.1.0

Description

Deserialization of Untrusted Data vulnerability in Apache Seata. 

When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol.

This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0.

Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

References

Published by the National Vulnerability Database Sep 16, 2024
Published to the GitHub Advisory Database Sep 16, 2024
Reviewed Sep 16, 2024
Last updated Sep 16, 2024

Severity

High

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-22399

GHSA ID

GHSA-3xq2-w6j4-c99r

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.