Description
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103068
Mitigation, Vendor Advisory mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.0188
EPSS Percentile
83.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (19)
apache/jmeter
2.1
apache/jmeter
2.2
apache/jmeter
2.3
apache/jmeter
2.3.1
apache/jmeter
2.3.2
apache/jmeter
2.3.3 (3 CPE variants)
apache/jmeter
2.3.4 (4 CPE variants)
apache/jmeter
2.4
apache/jmeter
2.5 (4 CPE variants)
apache/jmeter
2.5.1 (4 CPE variants)
... and 9 more
Published
Feb 14, 2018
Tracked Since
Feb 18, 2026