#VU10460 Security restrictions bypass in Apache JMeter - CVE-2018-1287
Published: February 13, 2018
Vulnerability identifier: #VU10460
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1287
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache JMeter
Apache JMeter
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to the binding of RMI Registry to wildcard host when using Distributed Test only (RMI based). A remote attacker can escape the sandbox, gain access to JMeterEngine and send an unauthorized code.
The weakness exists due to the binding of RMI Registry to wildcard host when using Distributed Test only (RMI based). A remote attacker can escape the sandbox, gain access to JMeterEngine and send an unauthorized code.
Remediation
Update to version 3.3 or later.