CVE-2018-1297

CRITICAL

Apache Jmeter < 4.0 - Cleartext Transmission

Title source: rule

Description

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Exploits (2)

nomisec WORKING POC
by 48484848484848 · poc
https://github.com/48484848484848/Jmeter-CVE-2018-1297-
nomisec WORKING POC
by Al1ex · poc
https://github.com/Al1ex/CVE-2018-1297

References (3)

Scores

CVSS v3 9.8
EPSS 0.1799
EPSS Percentile 95.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-319
Status published
Products (19)
apache/jmeter 2.1
apache/jmeter 2.2
apache/jmeter 2.3
apache/jmeter 2.3.1
apache/jmeter 2.3.2
apache/jmeter 2.3.3 (3 CPE variants)
apache/jmeter 2.3.4 (4 CPE variants)
apache/jmeter 2.4
apache/jmeter 2.5 (4 CPE variants)
apache/jmeter 2.5.1 (4 CPE variants)
... and 9 more
Published Feb 13, 2018
Tracked Since Feb 18, 2026