CVE-2024-7565: 
NixOS vulnerability analysis and mitigation

SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability (CVE-2024-7565) was discovered and disclosed on November 22, 2024. This vulnerability affects SMARTBEAR SoapUI installations and requires user interaction for exploitation (NVD, ZDI Advisory).

The vulnerability exists within the unpackageAll function of SoapUI. The core issue stems from the lack of proper validation of user-supplied paths prior to using them in file operations. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access vector, low attack complexity, no privileges required, and user interaction required (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current user on affected installations of SMARTBEAR SoapUI. The high CVSS score reflects the potential for complete compromise of system confidentiality, integrity, and availability within the scope of the affected user's permissions (ZDI Advisory).

SMARTBEAR has addressed this vulnerability by releasing a security update in SoapUI version 5.7.2. The update specifically fixes the vulnerability related to ZipSlip attack (Path Traversal). Users are advised to upgrade to the latest version (SoapUI Release Notes).