Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-3088

Опубликовано: 24 мая 2016
Источник: redhat
CVSS2: 6.8

Описание

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Отчет

Red Hat JBoss A-MQ 6.3 , Red Hat JBoss Fuse 6.3, and Red Hat JBoss Fuse Service Works 6.0.0 do not provide the vulnerable component and are not affected by this flaw. Red Hat JBoss A-MQ 6.2.1 and Red Hat JBoss Fuse 6.2.1 disable the vulnerable component and as such are not vulnerable to this flaw. The fileserver component was first disabled in A-MQ 6.2.0 and Fuse 6.2.0. Users of older, unsupported versions of these products are strongly advised to observe the mitigation provided on this page.

Меры по смягчению последствий

Users are advised to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web application SHOULD NOT be used in older version of the broker and it should be disabled (it has been disabled by default since 5.12.0). This can be done by removing (commenting out) the following lines from conf\jetty.xml file

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss A-MQ 6activemqAffected
Red Hat JBoss Fuse 6activemqAffected
Red Hat JBoss Fuse Service Works 6activemqNot affected
Red Hat OpenShift Enterprise 2activemqNot affected
Red Hat JBoss A-MQ 6.3FixedRHSA-2016:203606.10.2016
Red Hat JBoss Fuse 6.2FixedRHSA-2015:117623.06.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=1339318activemq: Fileserver web application vulnerability allowing RCE

6.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-3088

CVSS3: 9.8
ubuntu
больше 9 лет назад

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

nvd логотип

CVE-2016-3088

CVSS3: 9.8
nvd
больше 9 лет назад

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

debian логотип

CVE-2016-3088

CVSS3: 9.8
debian
больше 9 лет назад

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 al ...

github логотип

GHSA-rxqh-fc23-gxp2

CVSS3: 9.8
github
больше 3 лет назад

Improper Input Validation in Apache ActiveMQ

fstec логотип

BDU:2022-04782

CVSS3: 9.8
fstec
больше 9 лет назад

Уязвимость приложения Fileserver программной платформы Apache ActiveMQ, позволяющая нарушителю загрузить и выполнить произвольный файл

6.8 Medium

CVSS2

Уязвимость CVE-2016-3088