CVE-2014-1202: Code Injection
First published: Sat Jan 25 2014(Updated: )
The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.smartbear.soapui:soapui | <4.6.4 | 4.6.4 |
| SoapUI | =2.5.1 | |
| SoapUI | =3.0.1 | |
| SoapUI | =3.5 | |
| SoapUI | =3.5.1 | |
| SoapUI | =3.6 | |
| SoapUI | =3.6.1 | |
| SoapUI | <=4.6.3 | |
| SoapUI | =4.0 | |
| SoapUI | =4.0-beta1 | |
| SoapUI | =4.0-beta2 | |
| SoapUI | =4.0.1 | |
| SoapUI | =4.5 | |
| SoapUI | =4.5.1 | |
| SoapUI | =4.5.2 | |
| SoapUI | =4.6.0 | |
| SoapUI | =4.6.1 | |
| SoapUI | =4.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html
- http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html
- http://www.exploit-db.com/exploits/30908
- http://www.youtube.com/watch?v=3lCLE64rsc0
- https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt
- https://nvd.nist.gov/vuln/detail/CVE-2014-1202
- https://github.com/SmartBear/soapui/commit/6373165649ad74257493c69dbc0569caa7e6b4a6
- https://github.com/advisories/GHSA-c2fp-mpmm-cqxv (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-1202?
CVE-2014-1202 is classified as a critical vulnerability due to its potential for remote code execution.
How do I fix CVE-2014-1202?
To fix CVE-2014-1202, upgrade to SoapUI version 4.6.4 or later.
What software is affected by CVE-2014-1202?
CVE-2014-1202 affects multiple versions of SoapUI, specifically versions prior to 4.6.4, including 2.5.1, 3.0.1, 3.5, and others.
What are the risks associated with CVE-2014-1202?
The risks associated with CVE-2014-1202 include the potential for unauthorized remote code execution, allowing attackers to execute arbitrary Java code.
Is there a workaround for CVE-2014-1202?
There is no official workaround for CVE-2014-1202; the recommended solution is to upgrade to the latest version.
- collector/github-advisory-latest
- alias/GHSA-c2fp-mpmm-cqxv
- alias/CVE-2014-1202
- collector/github-advisory
- agent/author
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- agent/softwarecombine
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- vendor/eviware
- canonical/soapui
- version/soapui/2.5.1
- version/soapui/3.0.1
- version/soapui/3.5
- version/soapui/3.5.1
- version/soapui/3.6
- version/soapui/3.6.1
- vendor/smartbear
- version/soapui/4.6.3
- version/soapui/4.0
- version/soapui/4.0-beta1
- version/soapui/4.0-beta2
- version/soapui/4.0.1
- version/soapui/4.5
- version/soapui/4.5.1
- version/soapui/4.5.2
- version/soapui/4.6.0
- version/soapui/4.6.1
- version/soapui/4.6.2