CVE-2019-0187
CRITICALApache JMeter < 5.1 - Unauthenticated Remote Code Execution via RMI Deserialization
Title source: llmDescription
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107219
Mailing List, Vendor Advisory mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E
Scores
CVSS v3
9.8
EPSS
0.0063
EPSS Percentile
70.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
CWE-327
Status
published
Products (3)
apache/jmeter
4.0
apache/jmeter
5.0
org.apache.jmeter/ApacheJMeter
0 - 5.1Maven
Published
Mar 06, 2019
Tracked Since
Feb 18, 2026