VDB
CVE-2019-0187
CVE-2019-0187
PUBLISHED
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.
EPSS 0.63% · 70.8th percentile
Risk Scores
EPSS Score
0.63%
70.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | jakarta-jmeter | 2.13-5, 2.13-4, 0 |
| Ubuntu:24.04:LTS | jakarta-jmeter | 0, 2.13-5 |
| Ubuntu:16.04:LTS | jakarta-jmeter | 2.11-5, 0, 2.11-3 |
| Ubuntu:25.10 | jakarta-jmeter | 0, 2.13-5 |
| Ubuntu:18.04:LTS | jakarta-jmeter | 2.13-3, 0 |
| Ubuntu:20.04:LTS | jakarta-jmeter | 0, 2.13-4 |
Exploit Intelligence
Timeline
- Mar 6, 2019 CVE Published
- Mar 7, 2019 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-0187 third-party-advisory
- https://bz.apache.org/bugzilla/show_bug.cgi?id=62743 third-party-advisory
- http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-0187 third-party-advisory