CVE-2024-22399

Name of the Vulnerable Software and Affected Versions Apache Seata versions 1.0.0 through 1.8.0 Apache Seata version 2.0.0

Description The issue is related to the deserialization of untrusted data in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This can allow a remote attacker to cause a denial of service using a specially crafted request.

Recommendations For Apache Seata versions 1.0.0 through 1.8.0, upgrade to version 1.8.1, which fixes the issue. For Apache Seata version 2.0.0, upgrade to version 2.1.0, which fixes the issue. As a temporary workaround, consider disabling the authentication on the Seata-Server or using the Seata client SDK dependencies to minimize the risk of exploitation.