Description
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Remediation
References
http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Related Vulnerabilities
CVE-2022-31129 Vulnerability in maven package org.webjars.bowergithub.moment:moment
CVE-2020-2202 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader
CVE-2022-27820 Vulnerability in maven package org.zaproxy:zap
CVE-2023-46227 Vulnerability in maven package org.apache.inlong:inlong-manager
CVE-2022-43414 Vulnerability in maven package org.jenkins-ci.plugins:nunit