Security restrictions bypass in Apache JMeter - CVE-2018-1287
Published: February 13, 2018
Vulnerability identifier: #VU10460
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1287
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache JMeter
Apache JMeter
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to the binding of RMI Registry to wildcard host when using Distributed Test only (RMI based). A remote attacker can escape the sandbox, gain access to JMeterEngine and send an unauthorized code.
The weakness exists due to the binding of RMI Registry to wildcard host when using Distributed Test only (RMI based). A remote attacker can escape the sandbox, gain access to JMeterEngine and send an unauthorized code.
How to mitigate CVE-2018-1287
Update to version 3.3 or later.