Description
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Remediation
References
http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E
http://www.securityfocus.com/bid/103068
https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Related Vulnerabilities
CVE-2022-34189 Vulnerability in maven package org.jenkins-ci.plugins:image-tag-parameter
CVE-2018-1067 Vulnerability in maven package io.undertow:undertow-core
CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-common_2.12
CVE-2023-37579 Vulnerability in maven package org.apache.pulsar:pulsar-functions-worker
CVE-2022-36883 Vulnerability in maven package org.jenkins-ci.plugins:git