Apache Jmeter vulnerabilities
14 known vulnerabilities affecting apache/jmeter.
Total CVEs
14
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH4
Vulnerabilities
Page 1 of 1
CVE-2021-21346CRITICALCVSS 9.8fixed in 5.52021-03-23
CVE-2021-21346 [MEDIUM] CWE-434 CVE-2021-21346: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security fram
nvd
CVE-2021-21350CRITICALCVSS 9.8fixed in 5.52021-03-23
CVE-2021-21350 [MEDIUM] CWE-434 CVE-2021-21350: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limit
nvd
CVE-2021-21344CRITICALCVSS 9.8fixed in 5.52021-03-23
CVE-2021-21344 [MEDIUM] CWE-434 CVE-2021-21344: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security fram
nvd
CVE-2021-21351CRITICALCVSS 9.1PoCfixed in 5.52021-03-23
CVE-2021-21351 [MEDIUM] CWE-434 CVE-2021-21351: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework
nvd
CVE-2021-21347CRITICALCVSS 9.8fixed in 5.52021-03-23
CVE-2021-21347 [MEDIUM] CWE-434 CVE-2021-21347: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security fram
nvd
CVE-2021-21345CRITICALCVSS 9.9PoCfixed in 5.52021-03-23
CVE-2021-21345 [MEDIUM] CWE-94 CVE-2021-21345: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security f
nvd
CVE-2021-21342CRITICALCVSS 9.1fixed in 5.52021-03-23
CVE-2021-21342 [MEDIUM] CWE-502 CVE-2021-21342: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the p
nvd
CVE-2021-21348HIGHCVSS 7.5fixed in 5.52021-03-23
CVE-2021-21348 [MEDIUM] CWE-400 CVE-2021-21348: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited
nvd
CVE-2021-21343HIGHCVSS 7.5fixed in 5.52021-03-23
CVE-2021-21343 [MEDIUM] CWE-73 CVE-2021-21343: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the pr
nvd
CVE-2021-21349HIGHCVSS 8.6fixed in 5.52021-03-23
CVE-2021-21349 [MEDIUM] CWE-502 CVE-2021-21349: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStre
nvd
CVE-2021-21341HIGHCVSS 7.5fixed in 5.52021-03-23
CVE-2021-21341 [HIGH] CWE-400 CVE-2021-21341: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. N
nvd
CVE-2019-0187CRITICALCVSS 9.8v4.0v5.02019-03-06
CVE-2019-0187 [CRITICAL] CWE-327 CVE-2019-0187: Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line optio
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to
nvd
CVE-2018-1287CRITICALCVSS 9.8v2.1v2.2+20 more2018-02-14
CVE-2018-1287 [CRITICAL] CVE-2018-1287: In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
nvd
CVE-2018-1297CRITICALCVSS 9.8v2.1v2.2+20 more2018-02-13
CVE-2018-1297 [CRITICAL] CWE-319 CVE-2018-1297: When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connec
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
nvd