CVE-2018-1297
CRITICAL9.8EPSS 18.0%Missing certificate validation in Apache JMeter
Published: 5/13/2022Modified: 4/28/2026
Description
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Affected packages (2)
- Debian/jakarta-jmeterfrom 0
- Maven/org.apache.jmeter:ApacheJMeterfrom 0, < 4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1297
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-1297
- PATCHhttps://github.com/apache/jmeter
- WEBhttp://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
- WEBhttps://bz.apache.org/bugzilla/show_bug.cgi?id=62039
- WEBhttps://github.com/apache/jmeter/issues/4677
- WEBhttps://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b@%3Cissues.jmeter.apache.org%3E