Code injection via property expansion in SoapUI

CVE-2014-1202 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.

Basic information

Type: reviewed
Severity: high
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Browse source ↗
Published (advisory): 2022-05-17 04:53:43 UTC
Updated: 2023-12-21 19:26:22 UTC
GitHub reviewed: 2023-12-21 19:26:21 UTC
NVD published: 2014-01-24

EPSS Score

Score	Percentile
17.35%	94.80%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-c2fp-mpmm-cqxv ↗
CVE	CVE-2014-1202 ↗

CWEs

CWE id	Name
CWE-94	Improper Control of Generation of Code ('Code Injection')

Credits

q5438722 (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
maven	com.smartbear.soapui:soapui	< 4.6.4	4.6.4	—

References

cvelogic Threat Intelligence