Описание
Missing certificate validation in Apache JMeter
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-1297
- https://github.com/apache/jmeter/issues/4677
- https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b@%3Cissues.jmeter.apache.org%3E
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
Пакеты
Наименование
org.apache.jmeter:ApacheJMeter
maven
Затронутые версииВерсия исправления
< 4.0
4.0
Связанные уязвимости
CVSS3: 9.8
ubuntu
почти 8 лет назад
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
CVSS3: 9.8
nvd
почти 8 лет назад
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
CVSS3: 9.8
debian
почти 8 лет назад
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3. ...