Description
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Remediation
References
http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E
http://www.securityfocus.com/bid/103068
https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Related Vulnerabilities
CVE-2017-5636 Vulnerability in maven package org.apache.nifi:nifi-web-security
CVE-2021-38153 Vulnerability in maven package org.apache.kafka:kafka-clients
CVE-2022-4147 Vulnerability in maven package io.quarkus:quarkus-vertx-http
CVE-2023-32993 Vulnerability in maven package io.jenkins.plugins:miniorange-saml-sp