The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
Published 2016-06-01 20:59:04
Updated 2024-07-24 16:04:58
Source Red Hat, Inc.
View at NVD,   CVE.org

Products affected by CVE-2016-3088

CVE-2016-3088 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Apache ActiveMQ Improper Input Validation Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
The Fileserver web application in Apache ActiveMQ allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2016-3088
Added on 2022-02-10 Action due date 2022-08-10

Exploit prediction scoring system (EPSS) score for CVE-2016-3088

96.68%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2016-3088

  • ActiveMQ web shell upload
    Disclosure Date: 2016-06-01
    First seen: 2020-04-26
    exploit/multi/http/apache_activemq_upload_jsp
    The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. Authors: - Ian Anderson <andrsn84@gmail.com> - Hillary Benson <1n7r1gu3@gmail.com>

CVSS scores for CVE-2016-3088

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
NIST
9.8
CRITICAL CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST 2024-07-24

CWE ids for CVE-2016-3088

  • The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
    Assigned by: nvd@nist.gov (Primary)
  • The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-3088

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!