Description

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E

https://bz.apache.org/bugzilla/show_bug.cgi?id=62039

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2023-2633 Vulnerability in maven package org.jenkins-ci.plugins:codedx

CVE-2023-39154 Vulnerability in maven package com.qualys.plugins:qualys-was

CVE-2020-6468 Vulnerability in npm package electron

CVE-2016-9879 Vulnerability in maven package org.springframework.security:spring-security-web

CVE-2020-13935 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

Severity

Critical

Classification

CWE-319 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Issue Tracking