CVE-2024-47552

CVE-2024-47552 is a Deserialization of Untrusted Data vulnerability (CWE-502) in Apache Seata (incubating), affecting versions from 2.0.0 before 2.2.0. This flaw arises in the handling of untrusted data during deserialization processes within the software, which is an open-source distributed transaction solution used for coordinating transactions across microservices.

The vulnerability is exploitable only in the optional Raft cluster mode, a non-default feature introduced in version 2.0.0, and requires an attacker to have prior unauthorized access to the internal network where Seata operates as middleware between Transaction Coordinator (TC) and Resource Manager/Transaction Manager (RM/TM) nodes. Although the CVSS v3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating potential for remote exploitation without authentication leading to high impacts on confidentiality, integrity, and availability, real-world exploitation is highly improbable due to Seata's internal deployment model within trusted intranet environments.

Apache Seata advisories recommend upgrading to version 2.2.0, which resolves the issue, as detailed in the security announcement and corresponding GitHub commit. The Apache Seata security team rates the severity as "Low" owing to the strict isolation to Raft mode and the need for intranet access, with notifications posted to Apache mailing lists and oss-security.

No evidence of real-world exploitation has been reported for this vulnerability.