CVE-2016-0710

HIGH

Apache Jetspeed Arbitrary File Upload

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-0710. PoCs published by Metasploit, Andreas Lindh, wvu, including Metasploit module exploits/multi/http/apache_jetspeed_file_upload.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-0710 in Apache Jetspeed by leveraging an unsecured REST API to create an admin user and a ZIP path traversal vulnerability to upload and execute a JSP shell.

Description

Multiple SQL injection vulnerabilities in the User Manager service in Apache Jetspeed before 2.3.1 allow remote attackers to execute arbitrary SQL commands via the (1) role or (2) user parameter to services/usermanager/users/.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotejava

https://www.exploit-db.com/exploits/39643

View Code ZIP pw:eip

This Metasploit module exploits CVE-2016-0710 in Apache Jetspeed by leveraging an unsecured REST API to create an admin user and a ZIP path traversal vulnerability to upload and execute a JSP shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Jetspeed <= 2.3.0

No auth needed

Prerequisites: Network access to the target · Apache Jetspeed web interface accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC MANUAL

by Andreas Lindh, wvu · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_jetspeed_file_upload.rb