CVE-2016-3088 — Improper Input Validation in Apache ActiveMQ

Description

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

How to fix CVE-2016-3088

To remediate CVE-2016-3088, upgrade the affected package to a fixed version below.

Debian/activemq—upgrade to 5.14.0+dfsg-1 or later
—upgrade to 5.14.0 or later

Is CVE-2016-3088 being exploited?

Yes — CVE-2016-3088 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (2)

from 0, < 5.14.0+dfsg-1
>= 5.0.0, < 5.14.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

References (18)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3088
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-3088
WEBactivemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
WEBrhn.redhat.com/errata/RHSA-2016-2036.html