SB2014012501 - Code Injection in SmartBear SoapUI
Published: January 25, 2014 Updated: August 10, 2020
Security Bulletin ID
SB2014012501
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Code Injection (CVE-ID: CVE-2014-1202)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
Remediation
Install update from vendor's website.
References
- http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html
- http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html
- http://www.exploit-db.com/exploits/30908
- http://www.youtube.com/watch?v=3lCLE64rsc0
- https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt