GHSA-2r4x-667f-mpfh: fix artifact and fix commit reference

[raboof]

Now also included on the upstream CVE, https://www.cve.org/CVERecord?id=CVE-2024-47552

[advisory-database]

Hi @raboof! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[helixplant]

Hi,
There seems to be an issue with the org.apache.seata:seata-server package, since it does not exist we cannot issue alerts for it. Based on documentation it seems the server is within the config package. The advisory has been updated to reflect the proper commit reference. Please let me know if you have any further questions.

#7229 - same issue with the package

[raboof]

Oof, good observation, I'll get to the bottom of this.

[raboof]

I have checked this with the Apache Seata team.

It is indeed the case that the 'seata-server' artifact is not published to Maven Central: only the client SDKs are. The server is a standalone runnable application and not distributed through Maven Central at all, but as source and as pre-compiled binary packages (e.g., zip/tar files or Docker images). In those binary packages, the component is still explicitly named seata-server.jar (typically located under the seata-server/target/ or target/ directory alongside bin, conf, lib, etc.), as a standalone JAR with appropriate metadata and not obfuscated or deeply embedded.

As such we believe the Maven org.apache.seata:seata-server is still the identification that would be most likely to be accurately picked up by security scanners, even if the artifact is not actually pushed to Maven Central but distributed independently.