Vulnerability Details CVE-2018-1287
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.02
EPSS Ranking 82.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E
- http://www.securityfocus.com/bid/103068
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E
- http://www.securityfocus.com/bid/103068
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Products affected by CVE-2018-1287
-
cpe:2.3:a:apache:jmeter:2.1
-
cpe:2.3:a:apache:jmeter:2.10
-
cpe:2.3:a:apache:jmeter:2.11
-
cpe:2.3:a:apache:jmeter:2.12
-
cpe:2.3:a:apache:jmeter:2.13
-
cpe:2.3:a:apache:jmeter:2.2
-
cpe:2.3:a:apache:jmeter:2.3
-
cpe:2.3:a:apache:jmeter:2.3.1
-
cpe:2.3:a:apache:jmeter:2.3.2
-
cpe:2.3:a:apache:jmeter:2.3.3
-
cpe:2.3:a:apache:jmeter:2.3.4
-
cpe:2.3:a:apache:jmeter:2.4
-
cpe:2.3:a:apache:jmeter:2.5
-
cpe:2.3:a:apache:jmeter:2.5.1
-
cpe:2.3:a:apache:jmeter:2.6
-
cpe:2.3:a:apache:jmeter:2.7
-
cpe:2.3:a:apache:jmeter:2.8
-
cpe:2.3:a:apache:jmeter:2.9
-
cpe:2.3:a:apache:jmeter:3.0
-
cpe:2.3:a:apache:jmeter:3.1
-
cpe:2.3:a:apache:jmeter:3.2
-
cpe:2.3:a:apache:jmeter:3.3