Search criteria
12 vulnerabilities found for soapui by smartbear
FKIE_CVE-2024-7565
Vulnerability from fkie_nvd - Published: 2024-11-22 22:15 - Updated: 2024-12-19 19:15
Severity ?
Summary
SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19060.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:smartbear:soapui:.5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FFCD977F-EB9F-4438-A4DF-588D797749B6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19060."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo mediante el m\u00e9todo unpackageAll Directory Traversal de SMARTBEAR SoapUI. Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en las instalaciones afectadas de SMARTBEAR SoapUI. Para explotar esta vulnerabilidad se requiere la interacci\u00f3n del usuario, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe dentro de la funci\u00f3n unpackageAll. El problema es el resultado de la falta de una validaci\u00f3n adecuada de una ruta proporcionada por el usuario antes de usarla en operaciones con archivos. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del usuario actual. Era ZDI-CAN-19060."
}
],
"id": "CVE-2024-7565",
"lastModified": "2024-12-19T19:15:24.127",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "zdi-disclosures@trendmicro.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-22T22:15:18.593",
"references": [
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Release Notes"
],
"url": "https://www.soapui.org/downloads/latest-release/release-notes/"
},
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1100/"
}
],
"sourceIdentifier": "zdi-disclosures@trendmicro.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "zdi-disclosures@trendmicro.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2019-12180
Vulnerability from fkie_nvd - Published: 2020-02-05 17:15 - Updated: 2024-11-21 04:22
Severity ?
Summary
An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the "Save Script" function, which is executed automatically when saving a project.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:smartbear:readyapi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8923E48C-A1B7-4C10-92BB-1ACF469B0D9D",
"versionEndIncluding": "3.0.0",
"versionStartIncluding": "2.8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1668E5CF-5AF5-421A-9EBE-5BC9E89C8551",
"versionEndIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy \"Load Script\" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the \"Save Script\" function, which is executed automatically when saving a project."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en SmartBear ReadyAPI versiones hasta 2.8.2 y 3.0.0 y SoapUI versiones hasta 5.5. Cuando se abre un proyecto, el \"Load Script\" de Groovy es ejecutado autom\u00e1ticamente. Esto permite a un atacante ejecutar un c\u00f3digo de Groovy Language arbitrario (lenguaje de scripting Java) sobre la m\u00e1quina v\u00edctima al inducirlo para abrir un Proyecto malicioso. El mismo problema est\u00e1 presente en la funci\u00f3n \"Save Script\", que es ejecutada autom\u00e1ticamente cuando se guarda un proyecto."
}
],
"id": "CVE-2019-12180",
"lastModified": "2024-11-21T04:22:22.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-05T17:15:10.363",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-16670
Vulnerability from fkie_nvd - Published: 2018-02-19 19:29 - Updated: 2024-11-21 03:16
Severity ?
Summary
The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:smartbear:soapui:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D6F0D6CB-19D5-469F-92A5-E12AD14F864D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file."
},
{
"lang": "es",
"value": "a funcionalidad de importaci\u00f3n de proyectos en SoapUI 5.3.0 permite que los atacantes remotos ejecuten c\u00f3digo Java arbitrario mediante un par\u00e1metro request manipulado en un archivo de proyecto WSDL."
}
],
"id": "CVE-2017-16670",
"lastModified": "2024-11-21T03:16:47.777",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-19T19:29:00.610",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-1202
Vulnerability from fkie_nvd - Published: 2014-01-25 01:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eviware | soapui | 2.5.1 | |
| eviware | soapui | 3.0.1 | |
| eviware | soapui | 3.5 | |
| eviware | soapui | 3.5.1 | |
| eviware | soapui | 3.6 | |
| eviware | soapui | 3.6.1 | |
| smartbear | soapui | * | |
| smartbear | soapui | 4.0 | |
| smartbear | soapui | 4.0 | |
| smartbear | soapui | 4.0 | |
| smartbear | soapui | 4.0.1 | |
| smartbear | soapui | 4.5 | |
| smartbear | soapui | 4.5.1 | |
| smartbear | soapui | 4.5.2 | |
| smartbear | soapui | 4.6.0 | |
| smartbear | soapui | 4.6.1 | |
| smartbear | soapui | 4.6.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eviware:soapui:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32393C29-BD37-4F56-889F-25699D58974A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eviware:soapui:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "36608A9D-8A2B-4FF9-AC05-5BFC34313CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eviware:soapui:3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3E47B37D-03CA-453F-BB90-650BAB6AE4EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eviware:soapui:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BBE4DBFB-5D5B-4E6B-B071-46A45F1A7D11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eviware:soapui:3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AD1FB5B8-4540-4FA1-9261-D3B476B0DE9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eviware:soapui:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3DED1D4D-D025-4F3A-88E8-8F62139A2D00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB028D9D-B958-46B9-ADE2-769C86654B66",
"versionEndIncluding": "4.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F256F595-A044-4BBB-846B-88005B6E9561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "9AD9A2CA-FE10-4634-8C05-392F8FD21802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "E7D711B4-0E91-4DBB-A208-F5C105213691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "43A50E18-ABEF-4E0B-B8AB-5C9DBE95AF85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "9C3BCB53-FDC9-4664-BA3B-388E2D4917EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A3D2DE81-5D41-4796-B7B2-43C69B82947C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6FDA6D02-2064-4DA2-B0E5-197AE4205D13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1F217D88-D80A-4413-A4F4-CEF4F8B248E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DAA32495-DA2D-4447-AD2A-A71C49F8AD8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smartbear:soapui:4.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "92ED7FFC-C206-4A83-B37D-3BA9D237D3D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."
},
{
"lang": "es",
"value": "La funcionalidad de importaci\u00f3n WSDL/WADL en SoapUI anteriores a 4.6.4 permite a atacantes remotos ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de par\u00e1metros de petici\u00f3n manipulados en un fichero WSDL."
}
],
"id": "CVE-2014-1202",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-01-25T01:55:05.973",
"references": [
{
"source": "cve@mitre.org",
"url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/30908"
},
{
"source": "cve@mitre.org",
"url": "http://www.youtube.com/watch?v=3lCLE64rsc0"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/30908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.youtube.com/watch?v=3lCLE64rsc0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-7565 (GCVE-0-2024-7565)
Vulnerability from cvelistv5 – Published: 2024-11-22 21:32 – Updated: 2024-11-26 15:40
VLAI?
Title
SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability
Summary
SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19060.
Severity ?
7.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:smartbear:soapui:5.7.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "soapui",
"vendor": "smartbear",
"versions": [
{
"status": "affected",
"version": "5.7.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T15:14:57.429574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T15:40:08.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SoapUI",
"vendor": "SMARTBEAR",
"versions": [
{
"status": "affected",
"version": "SoapUI 5.7.0"
}
]
}
],
"dateAssigned": "2024-08-06T10:58:01.864-05:00",
"datePublic": "2024-08-06T11:08:18.849-05:00",
"descriptions": [
{
"lang": "en",
"value": "SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19060."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T21:32:27.245Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-1100",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1100/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://www.soapui.org/downloads/latest-release/release-notes/"
}
],
"source": {
"lang": "en",
"value": "kimiya"
},
"title": "SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-7565",
"datePublished": "2024-11-22T21:32:27.245Z",
"dateReserved": "2024-08-06T15:58:01.828Z",
"dateUpdated": "2024-11-26T15:40:08.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12180 (GCVE-0-2019-12180)
Vulnerability from cvelistv5 – Published: 2020-02-05 16:06 – Updated: 2024-08-04 23:10
VLAI?
Summary
An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the "Save Script" function, which is executed automatically when saving a project.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy \"Load Script\" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the \"Save Script\" function, which is executed automatically when saving a project."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-05T16:06:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12180",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy \"Load Script\" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the \"Save Script\" function, which is executed automatically when saving a project."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt",
"refsource": "MISC",
"url": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12180",
"datePublished": "2020-02-05T16:06:44",
"dateReserved": "2019-05-19T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16670 (GCVE-0-2017-16670)
Vulnerability from cvelistv5 – Published: 2018-02-19 19:00 – Updated: 2024-08-05 20:27
VLAI?
Summary
The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:27:04.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-02-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-19T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16670",
"datePublished": "2018-02-19T19:00:00",
"dateReserved": "2017-11-08T00:00:00",
"dateUpdated": "2024-08-05T20:27:04.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1202 (GCVE-0-2014-1202)
Vulnerability from cvelistv5 – Published: 2014-01-25 01:00 – Updated: 2024-08-06 09:34
VLAI?
Summary
The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:34:40.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.youtube.com/watch?v=3lCLE64rsc0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"
},
{
"name": "30908",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/30908"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-26T19:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.youtube.com/watch?v=3lCLE64rsc0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"
},
{
"name": "30908",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/30908"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.youtube.com/watch?v=3lCLE64rsc0",
"refsource": "MISC",
"url": "http://www.youtube.com/watch?v=3lCLE64rsc0"
},
{
"name": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"
},
{
"name": "30908",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/30908"
},
{
"name": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html",
"refsource": "MISC",
"url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"
},
{
"name": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt",
"refsource": "CONFIRM",
"url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1202",
"datePublished": "2014-01-25T01:00:00",
"dateReserved": "2014-01-07T00:00:00",
"dateUpdated": "2024-08-06T09:34:40.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7565 (GCVE-0-2024-7565)
Vulnerability from nvd – Published: 2024-11-22 21:32 – Updated: 2024-11-26 15:40
VLAI?
Title
SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability
Summary
SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19060.
Severity ?
7.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:smartbear:soapui:5.7.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "soapui",
"vendor": "smartbear",
"versions": [
{
"status": "affected",
"version": "5.7.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T15:14:57.429574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T15:40:08.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SoapUI",
"vendor": "SMARTBEAR",
"versions": [
{
"status": "affected",
"version": "SoapUI 5.7.0"
}
]
}
],
"dateAssigned": "2024-08-06T10:58:01.864-05:00",
"datePublic": "2024-08-06T11:08:18.849-05:00",
"descriptions": [
{
"lang": "en",
"value": "SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19060."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T21:32:27.245Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-1100",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1100/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://www.soapui.org/downloads/latest-release/release-notes/"
}
],
"source": {
"lang": "en",
"value": "kimiya"
},
"title": "SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-7565",
"datePublished": "2024-11-22T21:32:27.245Z",
"dateReserved": "2024-08-06T15:58:01.828Z",
"dateUpdated": "2024-11-26T15:40:08.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12180 (GCVE-0-2019-12180)
Vulnerability from nvd – Published: 2020-02-05 16:06 – Updated: 2024-08-04 23:10
VLAI?
Summary
An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the "Save Script" function, which is executed automatically when saving a project.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy \"Load Script\" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the \"Save Script\" function, which is executed automatically when saving a project."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-05T16:06:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12180",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy \"Load Script\" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the \"Save Script\" function, which is executed automatically when saving a project."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt",
"refsource": "MISC",
"url": "https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12180",
"datePublished": "2020-02-05T16:06:44",
"dateReserved": "2019-05-19T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16670 (GCVE-0-2017-16670)
Vulnerability from nvd – Published: 2018-02-19 19:00 – Updated: 2024-08-05 20:27
VLAI?
Summary
The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:27:04.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-02-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-19T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16670",
"datePublished": "2018-02-19T19:00:00",
"dateReserved": "2017-11-08T00:00:00",
"dateUpdated": "2024-08-05T20:27:04.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1202 (GCVE-0-2014-1202)
Vulnerability from nvd – Published: 2014-01-25 01:00 – Updated: 2024-08-06 09:34
VLAI?
Summary
The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:34:40.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.youtube.com/watch?v=3lCLE64rsc0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"
},
{
"name": "30908",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/30908"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-26T19:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.youtube.com/watch?v=3lCLE64rsc0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"
},
{
"name": "30908",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/30908"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.youtube.com/watch?v=3lCLE64rsc0",
"refsource": "MISC",
"url": "http://www.youtube.com/watch?v=3lCLE64rsc0"
},
{
"name": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html"
},
{
"name": "30908",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/30908"
},
{
"name": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html",
"refsource": "MISC",
"url": "http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html"
},
{
"name": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt",
"refsource": "CONFIRM",
"url": "https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1202",
"datePublished": "2014-01-25T01:00:00",
"dateReserved": "2014-01-07T00:00:00",
"dateUpdated": "2024-08-06T09:34:40.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}