Description

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Remediation

References

http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://www.securitytracker.com/id/1035951

http://www.zerodayinitiative.com/advisories/ZDI-16-356

http://www.zerodayinitiative.com/advisories/ZDI-16-357

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

https://www.exploit-db.com/exploits/42283/

Related Vulnerabilities

CVE-2020-1951 Vulnerability in maven package org.apache.tika:tika-parsers

CVE-2011-1772 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2012-3451 Vulnerability in maven package org.apache.cxf:cxf-bundle-jaxrs

CVE-2023-23850 Vulnerability in maven package org.jenkins-ci.plugins:synopsys-coverity

CVE-2022-41242 Vulnerability in maven package org.jenkins-ci.plugins:extreme-feedback

Severity

Critical

Classification

CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory Broken Link VDB Entry Mailing List Patch Issue Tracking Exploit