High severity7.5NVD Advisory· Published Jul 4, 2016· Updated Jun 17, 2026
CVE-2016-3092
CVE-2016-3092
Description
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
commons-fileupload:commons-fileuploadMaven | < 1.3.2 | 1.3.2 |
Affected products
113cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*+ 85 more
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
- cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- ghsa-coords19 versionspkg:maven/commons-fileupload/commons-fileuploadpkg:rpm/opensuse/jakarta-commons-fileupload&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1
< 1.3.2+ 18 more
- (no CPE)range: < 1.3.2
- (no CPE)range: < 1.1.1-150000.4.8.1
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 8.0.36-3.3
- (no CPE)range: < 1.1.1-150000.4.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-150000.4.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-150000.4.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 8.0.32-8.7
- (no CPE)range: < 7.0.78-7.13.4
- (no CPE)range: < 7.0.78-7.13.4
- (no CPE)range: < 8.0.32-8.7
Patches
Vulnerability mechanics
References
60- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdPatchPermissions RequiredThird Party AdvisoryWEB
- jvn.jp/en/jp/JVN89379547/index.htmlnvdVendor AdvisoryWEB
- jvndb.jvn.jp/jvndb/JVNDB-2016-000121nvdVDB EntryVendor AdvisoryWEB
- svn.apache.org/viewvcnvdVendor AdvisoryWEB
- svn.apache.org/viewvcnvdVendor AdvisoryWEB
- svn.apache.org/viewvcnvdVendor AdvisoryWEB
- tomcat.apache.org/security-7.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-8.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-9.htmlnvdVendor AdvisoryWEB
- www.debian.org/security/2016/dsa-3609nvdThird Party AdvisoryWEB
- www.debian.org/security/2016/dsa-3611nvdThird Party AdvisoryWEB
- www.debian.org/security/2016/dsa-3614nvdThird Party AdvisoryWEB
- www.securityfocus.com/bid/91453nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-3024-1nvdThird Party AdvisoryWEB
- www.ubuntu.com/usn/USN-3027-1nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-fvm3-cfvj-gxqqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-3092ghsaADVISORY
- lists.opensuse.org/opensuse-updates/2016-09/msg00025.htmlnvdWEB
- mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3EnvdMailing ListWEB
- rhn.redhat.com/errata/RHSA-2016-2068.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2069.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2070.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2071.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2072.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2599.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2807.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2808.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2017-0457.htmlnvdWEB
- svn.apache.org/viewvcnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvdWEB
- www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.htmlnvdWEB
- access.redhat.com/errata/RHSA-2017:0455nvdWEB
- access.redhat.com/errata/RHSA-2017:0456nvdWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- security.gentoo.org/glsa/201705-09nvdWEB
- security.gentoo.org/glsa/202107-39nvdWEB
- security.netapp.com/advisory/ntap-20190212-0001ghsaWEB
- web.archive.org/web/20160726114129/http://www.securitytracker.com/id/1036427ghsaWEB
- web.archive.org/web/20160924080828/http://www.securityfocus.com/bid/91453ghsaWEB
- web.archive.org/web/20170317103106/http://www.securitytracker.com/id/1037029ghsaWEB
- web.archive.org/web/20171103224941/http://www.securitytracker.com/id/1036900ghsaWEB
- web.archive.org/web/20171111060434/http://www.securitytracker.com/id/1039606ghsaWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvdWEB
- www.securitytracker.com/id/1036427nvd
- www.securitytracker.com/id/1036900nvd
- www.securitytracker.com/id/1037029nvd
- www.securitytracker.com/id/1039606nvd
- security.netapp.com/advisory/ntap-20190212-0001/nvd
News mentions
0No linked articles in our index yet.