Description

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E

http://www.securityfocus.com/bid/103068

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2022-34189 Vulnerability in maven package org.jenkins-ci.plugins:image-tag-parameter

CVE-2018-1067 Vulnerability in maven package io.undertow:undertow-core

CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-common_2.12

CVE-2023-37579 Vulnerability in maven package org.apache.pulsar:pulsar-functions-worker

CVE-2022-36883 Vulnerability in maven package org.jenkins-ci.plugins:git

Severity

Critical

Classification

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory Third Party Advisory VDB Entry NVD-CWE-noinfo