Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1yeHFoLWZjMjMtZ3hwMs4AATvG

Improper Input Validation in Apache ActiveMQ

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Permalink: https://github.com/advisories/GHSA-rxqh-fc23-gxp2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yeHFoLWZjMjMtZ3hwMs4AATvG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 4 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-rxqh-fc23-gxp2, CVE-2016-3088
References:

• https://nvd.nist.gov/vuln/detail/CVE-2016-3088
• https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
• https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a@%3Cusers.activemq.apache.org%3E
• https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
• https://www.exploit-db.com/exploits/42283/
• http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
• http://rhn.redhat.com/errata/RHSA-2016-2036.html
• http://www.securitytracker.com/id/1035951
• http://www.zerodayinitiative.com/advisories/ZDI-16-356
• http://www.zerodayinitiative.com/advisories/ZDI-16-357
• https://github.com/apache/activemq/commit/3dd86d04e8b90ba309819317d19e7260d414d9e7
• https://issues.apache.org/jira/browse/AMQ-6276
• https://stackoverflow.com/questions/67140241/configuring-activemq-webconsole-to-redirect-http-to-https
• https://github.com/advisories/GHSA-rxqh-fc23-gxp2

Repository: https://github.com/apache/activemq
Blast Radius: 37.3

Affected Packages