Vulnerability Description
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
CVSS Score
9.8
CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Jmeter | 2.1 |
Related Weaknesses (CWE)
References
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzkMailing ListVendor Advisory
- https://bz.apache.org/bugzilla/show_bug.cgi?id=62039Issue TrackingVendor Advisory
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzkMailing ListVendor Advisory
- https://bz.apache.org/bugzilla/show_bug.cgi?id=62039Issue TrackingVendor Advisory
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1
FAQ
What is CVE-2018-1297?
CVE-2018-1297 is a vulnerability with a CVSS score of 9.8 (CRITICAL). When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
How severe is CVE-2018-1297?
CVE-2018-1297 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-1297?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Jmeter.