Lucene search

GoogleOSV:GHSA-3XQ2-W6J4-C99R

HistorySep 16, 2024 - 2:37 p.m.

Apache Seata Deserialization of Untrusted Data vulnerability

2024-09-1614:37:28

Google

osv.dev

apache seata

untrusted data

deserialization

vulnerability

seata-server

seata client sdk dependencies

serialized malicious requests

bytecode

private protocol

upgrade

version 2.1.0

version 1.8.1

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

55.3%

JSON

Deserialization of Untrusted Data vulnerability in Apache Seata.

When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol.

This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0.

Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

References

github.com/apache/incubator-seata

lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4

nvd.nist.gov/vuln/detail/CVE-2024-22399

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

55.3%

JSON

Related for OSV:GHSA-3XQ2-W6J4-C99R