nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.
nGrinder by default does not verify the identity of JMX/RMI servers it connects to. An attacker can substitute a malicious JMX/RMI server and trick the nGrinder client into connecting to it. Through the RMI registry mechanism, untrusted data deserialization occurs (CWE-502), resulting in arbitrary code execution on the victim's side.
A remote attacker, without any authentication, can execute arbitrary code on a server running nGrinder, gaining full control over the system (violation of confidentiality, integrity, and availability).
nGrinder should be updated to version 3.5.9 or newer. Details are available in the vendor's references at https://cve.naver.com/detail/cve-2024-28211.html
Naver nGrinder in versions before 3.5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNaver Ngrinder
APPNaver< 3.5.9
Related vulnerabilities
RCE w Naver nGrinder — niebezpieczna deserializacja przez SnakeYAML
RCE przez niebezpieczną deserializację obiektów Java w Naver nGrinder
nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access contr...
nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access contr...
Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject ar...