GHSA-7v85-6hv2-rwgw

Suggest an improvement
Source
https://github.com/advisories/GHSA-7v85-6hv2-rwgw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7v85-6hv2-rwgw/GHSA-7v85-6hv2-rwgw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-7v85-6hv2-rwgw
Aliases
Published
2022-05-13T01:49:41Z
Modified
2023-11-01T04:48:55.140289Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Missing certificate validation in Apache JMeter
Details

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Database specific
{
    "nvd_published_at": "2018-02-13T12:29:00Z",
    "github_reviewed_at": "2022-11-04T20:38:08Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-319"
    ]
}
References

Affected packages

Maven / org.apache.jmeter:ApacheJMeter

Package

Name
org.apache.jmeter:ApacheJMeter
View open source insights on deps.dev
Purl
pkg:maven/org.apache.jmeter/ApacheJMeter

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0

Affected versions

2.*

2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.13

3.*

3.0
3.1
3.2
3.3