{"id":"CVE-2018-1297","details":"When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.","aliases":["GHSA-7v85-6hv2-rwgw"],"modified":"2026-05-28T04:04:21.445612785Z","published":"2018-02-13T12:29:00.207Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:apache:jmeter:2.11:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.3:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.3:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.4:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.4:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.4:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.5.1:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.5.1:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.5.1:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.5:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.5:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.5:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.6:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.6:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.7:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.7:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.8:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.9:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.9:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.0:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.0:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.0:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.0:rc4:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.0:rc5:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.1:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.1:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.1:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.1:rc4:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.2:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.2:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.2:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.3:rc1:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"apache:jmeter","extracted_events":[{"last_affected":"2.1"},{"last_affected":"2.3.3-rc1"},{"last_affected":"2.3.3-rc2"},{"last_affected":"2.3.4-rc1"},{"last_affected":"2.3.4-rc2"},{"last_affected":"2.3.4-rc3"},{"last_affected":"2.5-rc1"},{"last_affected":"2.5-rc2"},{"last_affected":"2.5-rc3"},{"last_affected":"2.5.1-rc1"},{"last_affected":"2.5.1-rc2"},{"last_affected":"2.5.1-rc3"},{"last_affected":"2.6-rc1"},{"last_affected":"2.6-rc2"},{"last_affected":"2.7-rc1"},{"last_affected":"2.7-rc2"},{"last_affected":"2.8-rc2"},{"last_affected":"2.9-rc1"},{"last_affected":"2.9-rc2"},{"last_affected":"2.11-rc1"},{"last_affected":"3.0-rc1"},{"last_affected":"3.0-rc2"},{"last_affected":"3.0-rc3"},{"last_affected":"3.0-rc4"},{"last_affected":"3.0-rc5"},{"last_affected":"3.1-rc1"},{"last_affected":"3.1-rc2"},{"last_affected":"3.1-rc3"},{"last_affected":"3.1-rc4"},{"last_affected":"3.2-rc1"},{"last_affected":"3.2-rc2"},{"last_affected":"3.2-rc3"},{"last_affected":"3.3-rc1"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E"},{"type":"ADVISORY","url":"http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E"},{"type":"REPORT","url":"https://bz.apache.org/bugzilla/show_bug.cgi?id=62039"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/jmeter","events":[{"introduced":"0"},{"last_affected":"1390e907b2f1acab3d8b905e318ab5d98129e1f4"},{"last_affected":"79d6b616e98ba4d3cdec6d1dfd79d7e0e712bfa9"},{"last_affected":"a5795794482df49d9c27d9feffcf7800dc5168c7"},{"last_affected":"632b1c00305a007b24fa6402e89f47bbd33d0937"},{"last_affected":"5fcb29be57044fcac10909e56271f0bada363a76"},{"last_affected":"842d0a86e7bfa1319ac93f54ad5fefac1a72893d"},{"last_affected":"103c7b7e3867fc0734dd4792fa9262ded43cd3e0"},{"last_affected":"77dc9c6f421f5e187ccddaa0e56906ea8038d5e9"},{"last_affected":"dbe970241257c1d73952d5da3e06da8e2cb75d3f"},{"last_affected":"1e82caeb99968f978045b809b2f8b275bca482c5"},{"last_affected":"9d0043f84b51275632c0bea3c788662439170b59"},{"last_affected":"71406cf08b85b5f676c09f110332762723cd5485"},{"last_affected":"a8ec1a4f256724c7f7ea8f8f393e560618518ba4"},{"last_affected":"120b62413c6f23a54fb5100f03999494bbcd0c97"},{"last_affected":"f0a392beb0f80317fbdda473532c559fef5b8beb"},{"last_affected":"25be4f7a5beb07e4b1331cc9cd18597e5bf4323f"},{"last_affected":"1832504fce021b9d95c09b39a12b2086ef5ff538"},{"last_affected":"67756c23fa43e789a57306bbf26b78f403717db8"},{"last_affected":"084e556261e78686c4441f0b7392e80d5ec27d3a"},{"last_affected":"97362d3749bdf98a71ded7234a9b750676c5e4c9"},{"last_affected":"2560016525c565e5fd537259c132bab93f341bd9"},{"last_affected":"1c14d5444da52e2a7a0b24bc9e0ab14d4fb107e8"},{"last_affected":"e66a5e0fa7682cd4e439077a0e31410e79b03b49"},{"last_affected":"c24e2f10bc8ae9f1ad30ae51d50721b73fa0f575"},{"last_affected":"9e3f9a87bd50c1bd601850e22a63120b4ce95bda"},{"last_affected":"45c45c75c7cc9dfdde1cc071b6fd44bbd061612d"},{"last_affected":"ab1b9a0342d02c1ead42bccf2eb1227a3d21dcc1"},{"last_affected":"cde7646371e8c03c0a17131b12521e5fc389ef95"},{"last_affected":"a37fc74b7c72db0c791c9f9f6eb4b88a0b7629f7"},{"last_affected":"37073e1e60c82217aa649632972f86b1ed91b72c"}],"database_specific":{"cpe":["cpe:2.3:a:apache:jmeter:2.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.3.4:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.4:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.5:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.5.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.6:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.7:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.7:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.8:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.8:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.9:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.9:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.10:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.10:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.11:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.11:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.12:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.12:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.12:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.13:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.13:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:2.13:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:jmeter:3.3:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"introduced":"0"},{"last_affected":"2.2"},{"last_affected":"2.3"},{"last_affected":"2.3.1"},{"last_affected":"2.3.2"},{"last_affected":"2.3.3"},{"last_affected":"2.3.4"},{"last_affected":"2.4"},{"last_affected":"2.5"},{"last_affected":"2.5.1"},{"last_affected":"2.6"},{"last_affected":"2.7"},{"last_affected":"2.7-rc3"},{"last_affected":"2.8"},{"last_affected":"2.8-rc1"},{"last_affected":"2.9"},{"last_affected":"2.9-rc3"},{"last_affected":"2.10-rc1"},{"last_affected":"2.10-rc2"},{"last_affected":"2.11"},{"last_affected":"2.11-rc2"},{"last_affected":"2.12"},{"last_affected":"2.12-rc1"},{"last_affected":"2.12-rc2"},{"last_affected":"2.13"},{"last_affected":"2.13-rc1"},{"last_affected":"2.13-rc2"},{"last_affected":"3.0"},{"last_affected":"3.1"},{"last_affected":"3.2"},{"last_affected":"3.3"}]}}],"versions":["v3_3","v3_2","v3_1","v3_0","v2_13","v2_13_RC2","v2_13_RC1","v2_12","v2_12_RC2","v2_12_RC1","v2_11","v2_11_RC2","v2_10_RC2","v2_10_RC1","v2_9","v2_9_RC3","v2_8","v2_8_RC1","v2_7","v2_7_RC3","v2_6","v2_2","v2_3","v2_3_1","v2_3_2","v2_3_3","v2_3_4","v2_4","v2_5","v2_5_1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1297.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}