CVE-2018-1287

CRITICAL9.8EPSS 1.9%

Missing certificate validation in Apache JMeter

發布日:2022/5/13修改日:2026/4/28

也稱為:DEBIAN-CVE-2018-1287

描述

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

受影響套件(2)

Debian/jakarta-jmeterfrom 0
Maven/org.apache.jmeter:ApacheJMeterfrom 0, < 4.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1287
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-1287
PATCHhttps://github.com/apache/jmeter
WEBhttp://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E
WEBhttps://bz.apache.org/bugzilla/show_bug.cgi?id=62039
WEBhttps://github.com/apache/jmeter/issues/4677
WEBhttps://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b@%3Cissues.jmeter.apache.org%3E