Description
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Remediation
References
http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E
http://www.securityfocus.com/bid/103068
https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Related Vulnerabilities
CVE-2017-3203 Vulnerability in maven package org.springframework.flex:spring-flex-core
CVE-2017-7677 Vulnerability in maven package org.apache.ranger:ranger
CVE-2022-25860 Vulnerability in npm package simple-git
CVE-2015-1814 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2020-2181 Vulnerability in maven package org.jenkins-ci.plugins:credentials-binding