CVE-2024-22399

CVE-2024-22399: Apache Seata: Remote Code Execution vulnerability via Hessian Deserialization in Apache Seata Server

Vendor Apache Software Foundation

Product Apache Seata

Weakness CWE-502 · Unsafe deserialization

Published September 16, 2024

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Deserialization of Untrusted Data vulnerability in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

Key dates

Disclosure timeline

September 16, 2024 CVE published

September 16, 2024 Record updated

Identifiers

CVE CVE-2024-22399

CWE CWE-502

Affected versions

Vendor Apache Software Foundation

Product Apache Seata

Affected 2.0.0

Vendor Apache Software Foundation

Product Apache Seata

Affected ≥ 1.0.0 and ≤ 1.8.0