Description

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Remediation

References

http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://www.securitytracker.com/id/1035951

http://www.zerodayinitiative.com/advisories/ZDI-16-356

http://www.zerodayinitiative.com/advisories/ZDI-16-357

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

https://www.exploit-db.com/exploits/42283/

Related Vulnerabilities

CVE-2011-1772 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2023-49800 Vulnerability in npm package nuxt-api-party

CVE-2021-26074 Vulnerability in maven package com.atlassian.connect:atlassian-connect-spring-boot-starter

CVE-2023-46589 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2017-2611 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory Broken Link VDB Entry Mailing List Patch Issue Tracking Exploit