Back

CVE-2024-22399

Sept. 16, 2024, 3:30 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Apache Seata

  • 2.0.0
  • 1.0.0 - 1.8.0

Source

security@apache.org

Tags

security@apache.org
CWE-502
2024-09-16
CVE-2024-22399

CVE-2024-22399 details

Published : Sept. 16, 2024, 12:15 p.m.
Last Modified : Sept. 16, 2024, 3:30 p.m.

Description

Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-502 Deserialization of Untrusted Data The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

URL Source
https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4 security@apache.org
This website uses the NVD API, but is not approved or certified by it.