CVE-2024-22399

Deserialization of Untrusted Data vulnerability in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/09/11/2

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:seata::::::::
	cpe:2.3:a:apache:seata:2.0.0:::::::*

History

21 Nov 2024, 08:56

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/09/11/2 -

20 Sep 2024, 16:37

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de deserialización de datos no confiables en Apache Seata. Cuando los desarrolladores deshabilitan la autenticación en Seata-Server y no utilizan las dependencias del SDK del cliente Seata, pueden crear solicitudes maliciosas serializadas no controladas mediante el envío directo de bytecode basado en el protocolo privado Seata. Este problema afecta a Apache Seata: 2.0.0, desde 1.0.0 hasta 1.8.0. Se recomienda a los usuarios que actualicen a la versión 2.1.0/1.8.1, que soluciona el problema.
References	~~() https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4 -~~	() https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4 - Mailing List, Vendor Advisory
First Time		Apache Apache seata
CPE		cpe:2.3:a:apache:seata:2.0.0:::::::* cpe:2.3:a:apache:seata::::::::

17 Sep 2024, 02:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

16 Sep 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-16 12:15

Updated : 2024-11-21 08:56

NVD link : CVE-2024-22399

Mitre link : CVE-2024-22399

CVE.ORG link : CVE-2024-22399

JSON object : View

Products Affected

apache

seata

CWE

CWE-502

Deserialization of Untrusted Data

9.8 /10