Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdnMzctN21ydi1jZndt
Unauthenticated Remote Code Execution in Apache JMeter
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.
Permalink: https://github.com/advisories/GHSA-wg37-7mrv-cfwmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdnMzctN21ydi1jZndt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00264
EPSS Percentile: 0.66461
Identifiers: GHSA-wg37-7mrv-cfwm, CVE-2019-0187
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-0187
- https://github.com/advisories/GHSA-wg37-7mrv-cfwm
- http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E
- http://www.securityfocus.com/bid/107219
Affected Packages
maven:org.apache.jmeter:ApacheJMeter
Dependent packages: 14Dependent repositories: 69
Downloads:
Affected Version Ranges: < 5.1
Fixed in: 5.1
All affected versions:
All unaffected versions: 5.1.1, 5.2.1, 5.4.1, 5.4.2, 5.4.3, 5.6.1, 5.6.2, 5.6.3