Home > Vulnerability Database > CVE-2016-3092

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2016-3092

Good to know:

Date: July 4, 2016

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Language: Java

Severity Score

7.5

Related Resources (63)

Url: http://rhn.redhat.com/errata/RHSA-2016-2071.html

Url: https://www.oracle.com/security-alerts/cpuapr2020.html

Url: https://github.com/advisories/GHSA-fvm3-cfvj-gxqq

Url: http://rhn.redhat.com/errata/RHSA-2016-2599.html

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Url: http://www.securityfocus.com/bid/91453

Url: http://www.securitytracker.com/id/1039606

Url: http://rhn.redhat.com/errata/RHSA-2016-2068.html

Url: http://tomcat.apache.org/security-8.html

Url: http://www.securitytracker.com/id/1037029

Url: http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Url: http://rhn.redhat.com/errata/RHSA-2016-2072.html

Url: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Url: http://www.ubuntu.com/usn/USN-3027-1

Url: http://rhn.redhat.com/errata/RHSA-2017-0457.html

Url: http://www.debian.org/security/2016/dsa-3614

Url: http://tomcat.apache.org/security-7.html

Url: https://bugzilla.redhat.com/show_bug.cgi?id=1349468

Url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-3092

Url: http://svn.apache.org/viewvc?view=revision&revision=1743480

Url: http://www.debian.org/security/2016/dsa-3611

Url: https://access.redhat.com/errata/RHSA-2017:0455

Url: http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121

Url: https://access.redhat.com/errata/RHSA-2017:0456

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759

Url: http://rhn.redhat.com/errata/RHSA-2016-2070.html

Url: https://web.archive.org/web/20171103224941/http://www.securitytracker.com/id/1036900

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840

Url: https://web.archive.org/web/20160726114129/http://www.securitytracker.com/id/1036427

Url: http://rhn.redhat.com/errata/RHSA-2016-2808.html

Url: https://security.gentoo.org/glsa/202107-39

Url: http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E

Url: http://svn.apache.org/viewvc?view=revision&revision=1743722

Url: https://access.redhat.com/security/cve/CVE-2016-3092

Url: https://web.archive.org/web/20160924080828/http://www.securityfocus.com/bid/91453

Url: http://www.debian.org/security/2016/dsa-3609

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Url: https://security.netapp.com/advisory/ntap-20190212-0001/

Url: https://web.archive.org/web/20171111060434/http://www.securitytracker.com/id/1039606

Url: http://www.ubuntu.com/usn/USN-3024-1

Url: http://svn.apache.org/viewvc?view=revision&revision=1743738

Url: http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html

Url: https://security.gentoo.org/glsa/201705-09

Url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: http://www.securitytracker.com/id/1036427

Url: http://www.securitytracker.com/id/1036900

Url: http://rhn.redhat.com/errata/RHSA-2016-2807.html

Url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

Url: https://security.netapp.com/advisory/ntap-20190212-0001

Url: http://jvn.jp/en/jp/JVN89379547/index.html

Url: http://tomcat.apache.org/security-9.html

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371

Url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

Url: http://svn.apache.org/viewvc?view=revision&revision=1743742

Url: http://rhn.redhat.com/errata/RHSA-2016-2069.html

Url: https://security-tracker.debian.org/tracker/CVE-2016-3092

Url: https://web.archive.org/web/20170317103106/http://www.securitytracker.com/id/1037029

Url: https://www.mend.io/vulnerability-database/CVE-2016-3092

Severity Score

7.5

Weakness Type (CWE)

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version commons-fileupload:commons-fileupload:1.3.2

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	7.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	COMPLETE
Additional information:

Do you need more information?

Contact Us