Description

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E

http://www.securityfocus.com/bid/103068

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2019-1003081 Vulnerability in maven package org.jenkins-ci.plugins:openshift-deployer

CVE-2019-17554 Vulnerability in maven package org.apache.olingo:odata-server-api

CVE-2022-35915 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts

CVE-2022-27202 Vulnerability in maven package org.jenkins-ci.plugins:extended-choice-parameter

CVE-2018-1999037 Vulnerability in maven package org.jenkins-ci.plugins:resource-disposer

Severity

Critical

Classification

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory Third Party Advisory VDB Entry NVD-CWE-noinfo