CVE-2018-1297
Missing certificate validation in Apache JMeter
9.8
CRITICAL
CVSS 3.1
EPSS 18.0%
Description
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
How to fix CVE-2018-1297
To remediate CVE-2018-1297, upgrade the affected package to a fixed version below.
- Debian/jakarta-jmeter—no fix listed
- —upgrade to 4.0 or later
Is CVE-2018-1297 being exploited?
Moderate — EPSS is 18.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0
- from 0, < 4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |