CVE-2014-1202
critical
CVSS v3
—
CVSS v2
9.3
VIR risk
9.3
Description
Code injection via property expansion in SoapUI
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | com.smartbear.soapui:soapui | <4.6.4 | 4.6.4 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| eviware | soapui | 2.5.1 | |
| eviware | soapui | 3.0.1 | |
| eviware | soapui | 3.5 | |
| eviware | soapui | 3.5.1 | |
| eviware | soapui | 3.6 | |
| eviware | soapui | 3.6.1 | |
| smartbear | soapui | {"endIncluding":"4.6.3"} | |
| smartbear | soapui | 4.0 | |
| smartbear | soapui | 4.0.1 | |
| smartbear | soapui | 4.5 | |
| smartbear | soapui | 4.5.1 | |
| smartbear | soapui | 4.5.2 | |
| smartbear | soapui | 4.6.0 | |
| smartbear | soapui | 4.6.1 | |
| smartbear | soapui | 4.6.2 | |
References
- http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html
- http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html
- http://www.exploit-db.com/exploits/30908
- http://www.youtube.com/watch?v=3lCLE64rsc0
- https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt
- https://nvd.nist.gov/vuln/detail/CVE-2014-1202
- https://github.com/SmartBear/soapui/commit/6373165649ad74257493c69dbc0569caa7e6b4a6
- https://github.com/SmartBear/soapui
CWEs
CWE-94
Verify integrity in audit chain (admin only). AS-IS.