CVE-2019-0187

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-0187
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-0187.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-0187
Aliases
Downstream
Published
2019-03-06T17:29:00.383Z
Modified
2026-04-10T04:13:30.293082Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.

References

Affected packages

Git / github.com/apache/jmeter

Affected ranges

Type
GIT
Repo
https://github.com/apache/jmeter
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5b0aff7b31887e4fb512874af1a64f1453765d04
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a4de2de971f0fd06753f4eab5c00f5596dfa75d5
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.0"
        }
    ]
}

Affected versions

Other
v4_0
v5_0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-0187.json"