Apache JMeter is vulnerable to remote code execution (RCE) attacks. The application uses an insecure RMI connection when conducting distributed tests, allowing a malicious user to inject and execute arbitrary code through serialized objects.
CPE | Name | Operator | Version |
---|---|---|---|
apache jmeter core | le | 3.3 | |
jmeter | le | 3.1.0.1 |
mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
bz.apache.org/bugzilla/show_bug.cgi?id=62039
github.com/apache/jmeter/commit/172adcc2648abaa6349a737a74b5f13cb7927ac8
github.com/apache/jmeter/commit/36d73def31c60a2fb240784868382e215d37aea7
github.com/apache/jmeter/commit/8a0154759224243fb72dd41a4a65ad0f5612a739
lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b@%3Cissues.jmeter.apache.org%3E