CVE-2019-0187

{"id": "CVE-2019-0187", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-03-06T17:29:00.383", "references": [{"url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.securityfocus.com/bid/107219", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-327"}, {"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised."}, {"lang": "es", "value": "La ejecuci\u00f3n remota de c\u00f3digo (RCE) autenticada es posible cuando JMeter se utiliza en su modo de distribuci\u00f3n (en las opciones de l\u00ednea de comando -r o -R). Un atacante puede establecer una conexi\u00f3n RMI a un servidor jmeter utilizando RemoteJMeterEngine y proceder con un ataque mediante el uso de una deserializaci\u00f3n de datos no confiable. Esto solo afecta a la pruebas en ejecuci\u00f3n en el modo distribuido. N\u00f3tese que las versiones anteriores a la 4.0 no son capaces de cifrar el tr\u00e1fico entre los nodos ni de identificar los nodos que participan, por lo que se aconseja actualizar a JMeter 5.1."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:jmeter:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7207C91F-9D2B-4525-B1CE-6C6B358B24A2"}, {"criteria": "cpe:2.3:a:apache:jmeter:5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20C4FF95-8BBB-4EF2-BDF9-8260BDB3411F"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}