CVE-2018-1287

CWE-3476 documents5 sources

Severity

9.8CRITICAL

EPSS

1.9%

top 16.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Jmeter Apache Jmeter

Timeline

PublishedFeb 14

Latest updateMay 13

Description

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.jmeter:ApacheJMeter< 4.0

▶NVDapache/jmeter22 versions+21

▶CVEListV5apache_software_foundation/apache_jmeter2.x, 3.x+1

🔴Vulnerability Details

GHSA

Missing certificate validation in Apache JMeter↗2022-05-13

▶

OSV

Missing certificate validation in Apache JMeter↗2022-05-13

▶

CVEList

CVE-2018-1287: In Apache JMeter 2↗2018-02-14

▶

OSV

CVE-2018-1287: In Apache JMeter 2↗2018-02-14

▶

📋Vendor Advisories

Debian

CVE-2018-1287: jakarta-jmeter - In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmet...↗2018

▶