Description

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E

https://bz.apache.org/bugzilla/show_bug.cgi?id=62039

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2023-46660 Vulnerability in maven package org.jenkins-ci.plugins:zanata

CVE-2022-38666 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration

CVE-2023-25765 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

CVE-2020-26870 Vulnerability in maven package org.webjars.npm:dompurify

CVE-2020-6422 Vulnerability in npm package electron

Severity

Critical

Classification

CWE-319 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Issue Tracking