The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
http://rhn.redhat.com/errata/RHSA-2016-2036.html
https://www.exploit-db.com/exploits/42283/
http://www.securitytracker.com/id/1035951