{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-14T00:00:00", "descriptions": [{"lang": "en", "value": "The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-01-26T19:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.youtube.com/watch?v=3lCLE64rsc0"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"}, {"name": "30908", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/30908"}, {"tags": ["x_refsource_MISC"], "url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1202", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.youtube.com/watch?v=3lCLE64rsc0", "refsource": "MISC", "url": "http://www.youtube.com/watch?v=3lCLE64rsc0"}, {"name": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"}, {"name": "30908", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/30908"}, {"name": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html", "refsource": "MISC", "url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"}, {"name": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt", "refsource": "CONFIRM", "url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:34:40.758Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.youtube.com/watch?v=3lCLE64rsc0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"}, {"name": "30908", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/30908"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1202", "datePublished": "2014-01-25T01:00:00", "dateReserved": "2014-01-07T00:00:00", "dateUpdated": "2024-08-06T09:34:40.758Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eviware:soapui:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "32393C29-BD37-4F56-889F-25699D58974A", "vulnerable": true}, {"criteria": "cpe:2.3:a:eviware:soapui:3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "36608A9D-8A2B-4FF9-AC05-5BFC34313CF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:eviware:soapui:3.5:*:*:*:*:*:*:*", "matchCriteriaId": "3E47B37D-03CA-453F-BB90-650BAB6AE4EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:eviware:soapui:3.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "BBE4DBFB-5D5B-4E6B-B071-46A45F1A7D11", "vulnerable": true}, {"criteria": "cpe:2.3:a:eviware:soapui:3.6:*:*:*:*:*:*:*", "matchCriteriaId": "AD1FB5B8-4540-4FA1-9261-D3B476B0DE9B", "vulnerable": true}, {"criteria": "cpe:2.3:a:eviware:soapui:3.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "3DED1D4D-D025-4F3A-88E8-8F62139A2D00", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB028D9D-B958-46B9-ADE2-769C86654B66", "versionEndIncluding": "4.6.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F256F595-A044-4BBB-846B-88005B6E9561", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "9AD9A2CA-FE10-4634-8C05-392F8FD21802", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "E7D711B4-0E91-4DBB-A208-F5C105213691", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "43A50E18-ABEF-4E0B-B8AB-5C9DBE95AF85", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "9C3BCB53-FDC9-4664-BA3B-388E2D4917EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "A3D2DE81-5D41-4796-B7B2-43C69B82947C", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "6FDA6D02-2064-4DA2-B0E5-197AE4205D13", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "1F217D88-D80A-4413-A4F4-CEF4F8B248E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "DAA32495-DA2D-4447-AD2A-A71C49F8AD8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:smartbear:soapui:4.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "92ED7FFC-C206-4A83-B37D-3BA9D237D3D2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."}, {"lang": "es", "value": "La funcionalidad de importaci\u00f3n WSDL/WADL en SoapUI anteriores a 4.6.4 permite a atacantes remotos ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de par\u00e1metros de petici\u00f3n manipulados en un fichero WSDL."}], "id": "CVE-2014-1202", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-01-25T01:55:05.973", "references": [{"source": "cve@mitre.org", "url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/30908"}, {"source": "cve@mitre.org", "url": "http://www.youtube.com/watch?v=3lCLE64rsc0"}, {"source": "cve@mitre.org", "url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/30908"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.youtube.com/watch?v=3lCLE64rsc0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "SoapUI: remote code execution when processing WSDL", "id": "1058582", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1058582"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "draft"}, "details": ["The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."], "name": "CVE-2014-1202", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3", "fix_state": "Not affected", "package_name": "soapui", "product_name": "Red Hat JBoss SOA Platform 4.3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Not affected", "package_name": "soapui", "product_name": "Red Hat JBoss SOA Platform 5"}], "public_date": "2014-01-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-1202\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-1202\nhttp://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"], "statement": "Not affected. Red Hat JBoss SOA Platform 4.3 and 5.3 support the SOAPClient action, which will use the SoapUI library to make calls to external web services. However, these products use SoapUI 1.7.1, while the vulnerable property expansion feature was not introduced until SoapUI 2.5. Therefore no Red Hat products are affected by this flaw.", "threat_severity": "Important"}