CVE-2018-1297

CRITICAL9.8EPSS 18.0%

Missing certificate validation in Apache JMeter

發布日:2022/5/13修改日:2026/4/28

描述

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

受影響套件(2)

Debian/jakarta-jmeterfrom 0
Maven/org.apache.jmeter:ApacheJMeterfrom 0, < 4.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1297
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-1297
PATCHhttps://github.com/apache/jmeter
WEBhttp://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
WEBhttps://bz.apache.org/bugzilla/show_bug.cgi?id=62039
WEBhttps://github.com/apache/jmeter/issues/4677
WEBhttps://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b@%3Cissues.jmeter.apache.org%3E