CVE-2019-0187

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-0187

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-0187.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-0187

Aliases

GHSA-wg37-7mrv-cfwm

Related

UBUNTU-CVE-2019-0187

Published

2019-03-06T17:29:00Z

Modified

2024-09-18T03:00:42.901774Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.

References

Affected packages

Debian:11 / jakarta-jmeter

Package

Name: jakarta-jmeter
Purl: pkg:deb/debian/jakarta-jmeter?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.13-4

2.13-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jakarta-jmeter

Package

Name: jakarta-jmeter
Purl: pkg:deb/debian/jakarta-jmeter?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.13-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/jmeter

Affected ranges

Type: GIT
Repo: https://github.com/apache/jmeter
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

5b0aff7b31887e4fb512874af1a64f1453765d04

Last affected

a4de2de971f0fd06753f4eab5c00f5596dfa75d5