Description

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

https://bz.apache.org/bugzilla/show_bug.cgi?id=62039

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2023-26475 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2020-1935 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-0225 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2017-11341 Vulnerability in npm package node-sass

CVE-2022-31160 Vulnerability in npm package jquery-ui

Severity

Critical

Classification

CWE-319 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Vendor Advisory Mailing List