Description

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E

https://bz.apache.org/bugzilla/show_bug.cgi?id=62039

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2022-1274 Vulnerability in maven package org.keycloak:keycloak-themes

CVE-2023-3223 Vulnerability in maven package io.undertow:undertow-servlet

CVE-2020-14359 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2020-2186 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2020-2216 Vulnerability in maven package org.jenkins-ci.plugins:zephyr-for-jira-test-management

Severity

Critical

Classification

CWE-319 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Issue Tracking