Description

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Remediation

References

http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://www.securitytracker.com/id/1035951

http://www.zerodayinitiative.com/advisories/ZDI-16-356

http://www.zerodayinitiative.com/advisories/ZDI-16-357

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

https://www.exploit-db.com/exploits/42283/

Related Vulnerabilities

CVE-2022-24697 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2022-45392 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration

CVE-2023-34616 Vulnerability in maven package com.progsbase.libraries:json

CVE-2022-41704 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge

CVE-2018-20677 Vulnerability in maven package org.webjars:bootstrap

Severity

Critical

Classification

CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory Broken Link VDB Entry Mailing List Patch Issue Tracking Exploit