Description

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Remediation

References

http://www.zerodayinitiative.com/advisories/ZDI-16-356

http://www.securitytracker.com/id/1035951

http://www.zerodayinitiative.com/advisories/ZDI-16-357

http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt

https://www.exploit-db.com/exploits/42283/

http://rhn.redhat.com/errata/RHSA-2016-2036.html

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

Related Vulnerabilities

CVE-2022-0671 Vulnerability in maven package org.eclipse.lemminx:lemminx-parent

CVE-2019-3875 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2018-17785 Vulnerability in maven package cc.blynk.server.api.core:http-core

CVE-2022-45390 Vulnerability in maven package io.loader:loaderio-jenkins-plugin

CVE-2023-22461 Vulnerability in npm package @mattkrick/sanitize-svg

Severity

Critical

Classification

CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Broken Link Vendor Advisory Exploit Mailing List Patch Issue Tracking