Description

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E

https://bz.apache.org/bugzilla/show_bug.cgi?id=62039

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2023-45811 Vulnerability in npm package deobfuscator

CVE-2023-37579 Vulnerability in maven package org.apache.pulsar:pulsar-functions-worker

CVE-2022-42128 Vulnerability in maven package com.liferay:com.liferay.headless.delivery.impl

CVE-2020-2120 Vulnerability in maven package org.jenkins-ci.plugins:fitnesse

CVE-2017-15095 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

Critical

Classification

CWE-319 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Issue Tracking