CVE-2020-12835 – Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization

https://notcve.org/view.php?id=CVE-2020-12835

An issue was discovered in SmartBear ReadyAPI SoapUI Pro 3.2.5. Due to unsafe use of an Java RMI based protocol in an unsafe configuration, an attacker can inject malicious serialized objects into the communication, resulting in remote code execution in the context of a client-side Network Licensing Protocol component. Se detectó un problema en SmartBear ReadyAPI SoapUI Pro versión 3.2.5. Debido al uso no seguro de un protocolo basado en Java RMI en una configuración no segura, un atacante puede inyectar objetos serializados maliciosos en la comunicación, resultando en una ejecución de código remota en el contexto de un componente Network Licensing Protocol del lado del cliente. • http://packetstormsecurity.com/files/157772/Protection-Licensing-Toolkit-ReadyAPI-3.2.5-Code-Execution-Deserialization.html http://seclists.org/fulldisclosure/2020/May/38 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-039.txt https://www.syss.de/pentest-blog • CWE-502: Deserialization of Untrusted Data •