PT-2016-3434 · Apache · Apache Activemq

Hillary Benson

+1

·

Published

2016-05-24

·

Updated

2026-06-09

·

CVE-2016-3088

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions 5.x through 5.13.x
Description The issue exists due to insufficient input validation in the Fileserver web application. It allows a remote attacker to upload and execute arbitrary files via an HTTP PUT request followed by an HTTP MOVE request. This can be achieved by sending a PUT request to a vulnerable endpoint, such as /fileserver, and then sending a MOVE request to execute the uploaded file.
Recommendations For Apache ActiveMQ versions 5.x through 5.13.x, update to version 5.14.0 or later to resolve the issue. As a temporary workaround, consider disabling the HTTP MOVE method for the Fileserver web application until a patch is available. Restrict access to the Fileserver web application to minimize the risk of exploitation.

Exploit

Fix

DoS

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2022-04782
CVE-2016-3088
GHSA-RXQH-FC23-GXP2
ZDI-16-356
ZDI-16-357

Affected Products

Apache Activemq