CVE-2018-1297 – org.apache.jmeter:apachejmeter

Package

Manager: maven
Name: org.apache.jmeter:apachejmeter
Vulnerable Version: >=0 <4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.23187 pctl0.95723

Details

Missing certificate validation in Apache JMeter When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Metadata

Created: 2022-05-13T01:49:41Z
Modified: 2022-11-04T20:38:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7v85-6hv2-rwgw/GHSA-7v85-6hv2-rwgw.json
CWE IDs: ["CWE-319"]
Alternative ID: GHSA-7v85-6hv2-rwgw
Finding: F017
Auto approve: 1