CVE-2016-3088

CVE Database · CVE-2016-3088

CVE-2016-3088

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

98.52%

Published

Jun 1, 2016

Modified

Apr 21, 2026

CISA Known Exploited Vulnerability

Added: 2022-02-10 · Due: 2022-08-10

Apply updates per vendor instructions.

Public PoC / Exploit (12)

All weaponized →

Exploit-DBActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)Exploit-DBApache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCCatherines77/ActiveMQ-EXPtools★78 GitHub PoCYutuSec/ActiveMQ_Crack★18 GitHub PoCMa1Dong/ActiveMQ_putshell-CVE-2016-3088★15 GitHub PoCcyberaguiar/CVE-2016-3088★5 GitHub PoCcl4ym0re/CVE-2016-3088★4 GitHub PoCwood03mm/CVE-2016-3088★0 GitHub PoCvonderchild/CVE-2016-3088★0 GitHub PoCHeArtE4t3r/CVE-2016-3088★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-434CWE-434

Affected Products (1)

apache · activemq (up to 5.14.0)vulnerable

References (19)

http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2016-2036.html

Third Party Advisory

http://www.securitytracker.com/id/1035951

Broken LinkThird Party AdvisoryVDB Entry

http://www.zerodayinitiative.com/advisories/ZDI-16-356

Third Party AdvisoryVDB Entry

http://www.zerodayinitiative.com/advisories/ZDI-16-357

Third Party AdvisoryVDB Entry

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

KEV Catalog EPSS Scores Vendors All CVEs