Description

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E

http://www.securityfocus.com/bid/103068

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2022-34870 Vulnerability in maven package org.apache.geode:geode-pulse

CVE-2017-1000034 Vulnerability in maven package com.typesafe.akka:akka-actor_2.12

CVE-2015-5351 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2023-26127 Vulnerability in npm package n158

CVE-2021-44585 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base-core

Severity

Critical

Classification

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory Third Party Advisory VDB Entry NVD-CWE-noinfo