Description
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
Remediation
References
http://www.zerodayinitiative.com/advisories/ZDI-16-356
http://www.securitytracker.com/id/1035951
http://www.zerodayinitiative.com/advisories/ZDI-16-357
http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
https://www.exploit-db.com/exploits/42283/
http://rhn.redhat.com/errata/RHSA-2016-2036.html
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
Related Vulnerabilities
CVE-2017-16113 Vulnerability in maven package org.webjars.npm:parsejson
CVE-2013-4286 Vulnerability in maven package tomcat:tomcat-coyote
CVE-2021-21267 Vulnerability in npm package schema-inspector
CVE-2017-1001003 Vulnerability in maven package org.webjars:mathjs
CVE-2012-6153 Vulnerability in maven package commons-httpclient:commons-httpclient