Description

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E

http://www.securityfocus.com/bid/103068

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2022-43420 Vulnerability in maven package org.jenkins-ci.plugins:contrast-continuous-application-security

CVE-2022-24794 Vulnerability in npm package express-openid-connect

CVE-2021-35516 Vulnerability in maven package org.apache.commons:commons-compress

CVE-2021-46366 Vulnerability in maven package info.magnolia:magnolia-core

CVE-2019-10327 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-maven-parent

Severity

Critical

Classification

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory Third Party Advisory VDB Entry NVD-CWE-noinfo