← Back

CVE-2024-22399

nvd nist
Published: Sep 16, 2024Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

Affected (2)

Products: Apache: Seata
Apache
1 product
Seata
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Apache
Seata
From 1.0.0 to 1.8.1
Seata
Version 2.0.0

Related CWEs

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

Source: security@apache.org
Mailing ListVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.