CVE-2016-0709

HIGH

Apache Jetspeed <2.3.1 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-0709. PoCs published by Metasploit.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-0710 in Apache Jetspeed by leveraging an unsecured REST API to create an admin user and a ZIP path traversal vulnerability to upload and execute a JSP shell.

Description

Directory traversal vulnerability in the Import/Export function in the Portal Site Manager in Apache Jetspeed before 2.3.1 allows remote authenticated administrators to write to arbitrary files, and consequently execute arbitrary code, via a .. (dot dot) in a ZIP archive entry, as demonstrated by "../../webapps/x.jsp."

Exploits (1)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/39643

This Metasploit module exploits CVE-2016-0710 in Apache Jetspeed by leveraging an unsecured REST API to create an admin user and a ZIP path traversal vulnerability to upload and execute a JSP shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Jetspeed <= 2.3.0
No auth needed
Prerequisites: Network access to the target · Apache Jetspeed web interface accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 7.2
EPSS 0.6919
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (2)
apache/jetspeed < 2.3.0
org.apache.portals.jetspeed-2/jetspeed 0 - 2.3.1Maven
Published Apr 11, 2016
Tracked Since Feb 18, 2026