Description
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Remediation
References
http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Related Vulnerabilities
CVE-2023-30519 Vulnerability in maven package org.jenkins-ci.plugins:quayio-trigger
CVE-2022-43422 Vulnerability in maven package com.compuware.jenkins:compuware-topaz-utilities
CVE-2020-9492 Vulnerability in maven package org.apache.hadoop:hadoop-hdfs-client
CVE-2023-28668 Vulnerability in maven package org.jenkins-ci.plugins:role-strategy
CVE-2020-28052 Vulnerability in maven package bouncycastle:bcprov-jdk14