CVE-2019-0187

CRITICAL

Apache Jmeter < 5.1 - Insecure Deserialization

Title source: rule

Description

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.

References (2)

[Mailing List, Vendor Advisory] http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107219

Scores

CVSS v3 9.8

EPSS 0.0063

EPSS Percentile 70.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-327

Status published

Affected Products (3)

apache/jmeter

org.apache.jmeter/ApacheJMeter < 5.1Maven

Timeline

Published Mar 06, 2019

Tracked Since Feb 18, 2026