The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2014-1202 from the MITRE CVE dictionary dictionary and NIST NVD.
Not affected. Red Hat JBoss SOA Platform 4.3 and 5.3 support the SOAPClient action, which will use the SoapUI library to make calls to external web services. However, these products use SoapUI 1.7.1, while the vulnerable property expansion feature was not introduced until SoapUI 2.5. Therefore no Red Hat products are affected by this flaw.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Enterprise SOA Platform 5 | soapui | Not affected |
| Red Hat JBoss Enterprise SOA Platform 4.3 | soapui | Not affected |
Vulmon