Lucene search
ApacheVULNRICHMENT:CVE-2024-22399HistorySep 16, 2024 - 11:42 a.m.
CVE-2024-22399 Apache Seata: Remote Code Execution vulnerability via Hessian Deserialization in Apache Seata Server
2024-09-1611:42:05
CWE-502
apache
github.com
1
apache seata
remote code execution
hessian deserialization
untrusted data
vulnerability
seata server
authentication
seata client sdk
serialized malicious requests
bytecode
seata private protocol
upgrade
version 2.1.0
version 1.8.1
AI Score
9.7
Confidence
High
EPSS
0.002
Percentile
55.3%
SSVC
Exploitation
none
Automatable
yes
Technical Impact
total
Deserialization of Untrusted Data vulnerability in Apache Seata.
When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol.
This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0.
Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:apache:seata:*:*:*:*:*:*:*:*"
],
"vendor": "apache",
"product": "seata",
"versions": [
{
"status": "affected",
"version": "1.0.0",
"versionType": "semver",
"lessThanOrEqual": "1.8.0"
},
{
"status": "affected",
"version": "2.0.0"
}
],
"defaultStatus": "unaffected"
}
]Related
osv
osv
Apache Seata Deserialization of Untrusted Data vulnerability
2024-09-16 14:37:28
cve
cve
CVE-2024-22399
2024-09-16 12:15:02
cvelist
cvelist
nvd
nvd
CVE-2024-22399
2024-09-16 12:15:02
github
github
Apache Seata Deserialization of Untrusted Data vulnerability
2024-09-16 14:37:28
AI Score
9.7
Confidence
High
EPSS
0.002
Percentile
55.3%
SSVC
Exploitation
none
Automatable
yes
Technical Impact
total
Related for VULNRICHMENT:CVE-2024-22399