CVE-2014-1202

The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.

Published Bycve@mitre.org

Published DateJan 25, 2014, 01:55

Affected Versions(1)

com.smartbear.soapui:soapui(Maven)

Introduced0

Fixed4.6.4

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.smartbear.soapui:soapui(Maven)	0	4.6.4	N/A

Weakness Type (CWE):CWE-94

CVSS Metrics

Base Score

9.3

Vector String

AV:N/AC:M/Au:N/C:C/I:C/A:C

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

COMPLETE

Integrity (I)

COMPLETE

Availability (A)

COMPLETE

References

http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html
http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html
http://www.exploit-db.com/exploits/30908
http://www.youtube.com/watch?v=3lCLE64rsc0
https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt

Weakness Type (CWE):CWE-94

CVSS Metrics

Base Score

9.3

Vector String

AV:N/AC:M/Au:N/C:C/I:C/A:C

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

COMPLETE

Integrity (I)

COMPLETE

Availability (A)

COMPLETE