CVE-2020-12835

CRITICAL

SmartBear ReadyAPI SoapUI Pro 3.2.5 - Code Injection

Title source: llm

Description

An issue was discovered in SmartBear ReadyAPI SoapUI Pro 3.2.5. Due to unsafe use of an Java RMI based protocol in an unsafe configuration, an attacker can inject malicious serialized objects into the communication, resulting in remote code execution in the context of a client-side Network Licensing Protocol component.

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157772/Protection-Licensing-Toolkit-ReadyAPI-3.2.5-Code-Execution-Deserialization.html

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2020/May/38

[Exploit, Third Party Advisory] https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-039.txt

[Third Party Advisory] https://www.syss.de/pentest-blog/

Scores

CVSS v3 9.8

EPSS 0.1369

EPSS Percentile 94.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

smartbear/readyapi

Timeline

Published May 20, 2020

Tracked Since Feb 18, 2026