Vulnerabilities > CVE-2020-12835 - Deserialization of Untrusted Data vulnerability in Smartbear Readyapi 3.2.5
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in SmartBear ReadyAPI SoapUI Pro 3.2.5. Due to unsafe use of an Java RMI based protocol in an unsafe configuration, an attacker can inject malicious serialized objects into the communication, resulting in remote code execution in the context of a client-side Network Licensing Protocol component.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Packetstorm
data source | https://packetstormsecurity.com/files/download/157772/SYSS-2019-039.txt |
id | PACKETSTORM:157772 |
last seen | 2020-05-20 |
published | 2020-05-19 |
reporter | Moritz Bechler |
source | https://packetstormsecurity.com/files/157772/Protection-Licensing-Toolkit-ReadyAPI-3.2.5-Code-Execution-Deserialization.html |
title | Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization |
References
- http://packetstormsecurity.com/files/157772/Protection-Licensing-Toolkit-ReadyAPI-3.2.5-Code-Execution-Deserialization.html
- http://seclists.org/fulldisclosure/2020/May/38
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-039.txt
- https://www.syss.de/pentest-blog/
- http://packetstormsecurity.com/files/157772/Protection-Licensing-Toolkit-ReadyAPI-3.2.5-Code-Execution-Deserialization.html
- https://www.syss.de/pentest-blog/
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-039.txt
- http://seclists.org/fulldisclosure/2020/May/38