Description

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Remediation

References

http://www.zerodayinitiative.com/advisories/ZDI-16-356

http://www.securitytracker.com/id/1035951

http://www.zerodayinitiative.com/advisories/ZDI-16-357

http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt

https://www.exploit-db.com/exploits/42283/

http://rhn.redhat.com/errata/RHSA-2016-2036.html

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

Related Vulnerabilities

CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.convertors

CVE-2018-3711 Vulnerability in npm package fastify

CVE-2017-16821 Vulnerability in maven package org.b3log:symphony

CVE-2022-40955 Vulnerability in maven package org.apache.inlong:sort-connector-mysql-cdc

CVE-2018-1999004 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Broken Link Vendor Advisory Exploit Mailing List Patch Issue Tracking