cbcvebase.
CVE-2014-1202
published 2014-01-25

CVE-2014-1202: The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
7.67%
93.8th percentile
The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.

Affected

15 ranges
VendorProductVersion rangeFixed in
eviwaresoapui
eviwaresoapui
eviwaresoapui
eviwaresoapui
eviwaresoapui
eviwaresoapui
smartbearsoapui<= 4.6.3
smartbearsoapui
smartbearsoapui
smartbearsoapui
smartbearsoapui
smartbearsoapui
smartbearsoapui
smartbearsoapui
smartbearsoapui

Detection & IOCsextracted from sources · hover to see the quote

command${=JAVA CODE};
  • Detect malicious WSDL files containing property expansion expressions using the '${=' prefix, which triggers arbitrary Java/Groovy code execution in SoapUI versions before 4.6.4.
  • Monitor SoapUI clients importing WSDL/WADL files from untrusted or external sources, as the vulnerability is triggered at import/request-send time when the crafted default parameter value is expanded.
  • Look for arbitrary Groovy code embedded inside WSDL element properties; the property expansion mechanism executes the code when the SoapUI client processes the WSDL.
  • Reference the upstream patch commit to identify the exact code change that closes the property expansion sink and use it to verify whether a deployed SoapUI instance is patched.
  • ·The vulnerable property expansion feature was not present in SoapUI versions prior to 2.5; Red Hat JBoss SOA Platform 4.3 and 5.3 ship SoapUI 1.7.1 and are therefore not affected.
  • ·Exploitation requires the victim to actively import the malicious WSDL URL into SoapUI and then attempt to send a request; the payload fires at request-send time, not purely at import time.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.