CVE-2018-1287 – org.apache.jmeter:apachejmeter

Package

Manager: maven
Name: org.apache.jmeter:apachejmeter
Vulnerable Version: >=0 <4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01975 pctl0.82797

Details

Missing certificate validation in Apache JMeter In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code. This only affect those running in Distributed mode. In distributed mode, JMeter makes an architectural assumption that it is operating on a 'safe' network. i.e. everyone with access to the network is considered trusted.

Metadata

Created: 2022-05-13T01:49:40Z
Modified: 2022-11-04T20:38:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j7j7-g4ww-pxg5/GHSA-j7j7-g4ww-pxg5.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-j7j7-g4ww-pxg5
Finding: F204
Auto approve: 1