CVE-2016-3088

CRITICAL
2016-06-01 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
Patch Released
Oct 22, 2025 - 00:15 nvd
Patch available
PoC Detected
Oct 22, 2025 - 00:15 vuln.today
Public exploit code
Added to CISA KEV
Oct 22, 2025 - 00:15 cisa
CISA KEV
CVE Published
Jun 01, 2016 - 20:59 nvd
CRITICAL 9.8

Description

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Analysis

Apache ActiveMQ 5.x before 5.14.0 exposes a Fileserver web application that allows unauthenticated remote attackers to upload and execute arbitrary files through HTTP PUT followed by HTTP MOVE requests.

Technical Context

The CWE-434 unrestricted file upload vulnerability exists because the Fileserver servlet accepts PUT requests to upload arbitrary files, and MOVE requests to relocate them to directories served by the web application. An attacker uploads a JSP web shell and moves it to a location where it can be executed.

Affected Products

['Apache ActiveMQ 5.x before 5.14.0']

Remediation

Upgrade ActiveMQ to 5.14.0+. Disable or remove the Fileserver web application. Restrict network access to ActiveMQ management interfaces. Review for existing web shells.

Priority Score

79
Low Medium High Critical
KEV: +50
EPSS: +94.3
CVSS: +49
POC: +20

Share

CVE-2016-3088 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy