Description
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
Remediation
References
http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
http://rhn.redhat.com/errata/RHSA-2016-2036.html
http://www.securitytracker.com/id/1035951
http://www.zerodayinitiative.com/advisories/ZDI-16-356
http://www.zerodayinitiative.com/advisories/ZDI-16-357
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
https://www.exploit-db.com/exploits/42283/
Related Vulnerabilities
CVE-2021-41766 Vulnerability in maven package org.apache.karaf:apache-karaf
CVE-2021-21615 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2017-1000084 Vulnerability in maven package org.jenkins-ci.plugins:parameterized-trigger
CVE-2018-1999002 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2017-5641 Vulnerability in maven package org.apache.flex.blazeds:flex-messaging-core