Description

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E

http://www.securityfocus.com/bid/103068

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-namesrv

CVE-2017-5643 Vulnerability in maven package org.apache.camel:camel-core

CVE-2017-12623 Vulnerability in maven package org.apache.nifi:nifi-security-utils

CVE-2022-43421 Vulnerability in maven package org.jenkins-ci.plugins:tuleap-git-branch-source

CVE-2019-16564 Vulnerability in maven package com.paul8620.jenkins.plugins:pipeline-aggregator-view

Severity

Critical

Classification

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory Third Party Advisory VDB Entry NVD-CWE-noinfo