High severity7.5NVD Advisory· Published Jul 4, 2016· Updated May 6, 2026
CVE-2016-3092
CVE-2016-3092
Description
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
commons-fileupload:commons-fileuploadMaven | < 1.3.2 | 1.3.2 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
60- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdPatchPermissions RequiredThird Party AdvisoryWEB
- jvn.jp/en/jp/JVN89379547/index.htmlnvdVendor AdvisoryWEB
- jvndb.jvn.jp/jvndb/JVNDB-2016-000121nvdVDB EntryVendor AdvisoryWEB
- svn.apache.org/viewvcnvdVendor AdvisoryWEB
- svn.apache.org/viewvcnvdVendor AdvisoryWEB
- svn.apache.org/viewvcnvdVendor AdvisoryWEB
- tomcat.apache.org/security-7.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-8.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-9.htmlnvdVendor AdvisoryWEB
- www.debian.org/security/2016/dsa-3609nvdThird Party AdvisoryWEB
- www.debian.org/security/2016/dsa-3611nvdThird Party AdvisoryWEB
- www.debian.org/security/2016/dsa-3614nvdThird Party AdvisoryWEB
- www.securityfocus.com/bid/91453nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-3024-1nvdThird Party AdvisoryWEB
- www.ubuntu.com/usn/USN-3027-1nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-fvm3-cfvj-gxqqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-3092ghsaADVISORY
- lists.opensuse.org/opensuse-updates/2016-09/msg00025.htmlnvdWEB
- mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3EnvdMailing ListWEB
- rhn.redhat.com/errata/RHSA-2016-2068.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2069.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2070.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2071.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2072.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2599.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2807.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2808.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2017-0457.htmlnvdWEB
- svn.apache.org/viewvcnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvdWEB
- www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.htmlnvdWEB
- access.redhat.com/errata/RHSA-2017:0455nvdWEB
- access.redhat.com/errata/RHSA-2017:0456nvdWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- security.gentoo.org/glsa/201705-09nvdWEB
- security.gentoo.org/glsa/202107-39nvdWEB
- security.netapp.com/advisory/ntap-20190212-0001ghsaWEB
- web.archive.org/web/20160726114129/http://www.securitytracker.com/id/1036427ghsaWEB
- web.archive.org/web/20160924080828/http://www.securityfocus.com/bid/91453ghsaWEB
- web.archive.org/web/20170317103106/http://www.securitytracker.com/id/1037029ghsaWEB
- web.archive.org/web/20171103224941/http://www.securitytracker.com/id/1036900ghsaWEB
- web.archive.org/web/20171111060434/http://www.securitytracker.com/id/1039606ghsaWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvdWEB
- www.securitytracker.com/id/1036427nvd
- www.securitytracker.com/id/1036900nvd
- www.securitytracker.com/id/1037029nvd
- www.securitytracker.com/id/1039606nvd
- security.netapp.com/advisory/ntap-20190212-0001/nvd
News mentions
0No linked articles in our index yet.