← Back to CVEs
CVE-2016-3088
CRITICALCISA KEV9.8
Description
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published6/1/2016
Last Modified4/21/2026
Sourcekev
Honeypot Sightings0
CISA KEV
VendorApache
ProductActiveMQ
Vulnerability NameApache ActiveMQ Improper Input Validation Vulnerability
KEV Date Added2022-02-10
Remediation Due Date2022-08-10
Ransomware UseUnknown
Affected Products
apache:activemq
Weaknesses (CWE)
CWE-434CWE-434
References
http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt(secalert@redhat.com)
http://rhn.redhat.com/errata/RHSA-2016-2036.html(secalert@redhat.com)
http://www.securitytracker.com/id/1035951(secalert@redhat.com)
http://www.zerodayinitiative.com/advisories/ZDI-16-356(secalert@redhat.com)
http://www.zerodayinitiative.com/advisories/ZDI-16-357(secalert@redhat.com)
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E(secalert@redhat.com)
https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E(secalert@redhat.com)
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E(secalert@redhat.com)
https://www.exploit-db.com/exploits/42283/(secalert@redhat.com)
http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt(af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-2036.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1035951(af854a3a-2127-422b-91ae-364da2661108)
http://www.zerodayinitiative.com/advisories/ZDI-16-356(af854a3a-2127-422b-91ae-364da2661108)
http://www.zerodayinitiative.com/advisories/ZDI-16-357(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/42283/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3088(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.