CVE-2016-3092
Summary
| CVE | CVE-2016-3092 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-07-04 22:59:00 UTC |
| Updated | 2023-12-08 16:41:00 UTC |
| Description | The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Commons Fileupload | All | All | All | All |
| Application | Apache | Tomcat | 7.0.0 | All | All | All |
| Application | Apache | Tomcat | 7.0.0 | beta | All | All |
| Application | Apache | Tomcat | 7.0.1 | All | All | All |
| Application | Apache | Tomcat | 7.0.10 | All | All | All |
| Application | Apache | Tomcat | 7.0.11 | All | All | All |
| Application | Apache | Tomcat | 7.0.12 | All | All | All |
| Application | Apache | Tomcat | 7.0.14 | All | All | All |
| Application | Apache | Tomcat | 7.0.16 | All | All | All |
| Application | Apache | Tomcat | 7.0.19 | All | All | All |
| Application | Apache | Tomcat | 7.0.2 | All | All | All |
| Application | Apache | Tomcat | 7.0.2 | beta | All | All |
| Application | Apache | Tomcat | 7.0.20 | All | All | All |
| Application | Apache | Tomcat | 7.0.21 | All | All | All |
| Application | Apache | Tomcat | 7.0.22 | All | All | All |
| Application | Apache | Tomcat | 7.0.23 | All | All | All |
| Application | Apache | Tomcat | 7.0.25 | All | All | All |
| Application | Apache | Tomcat | 7.0.26 | All | All | All |
| Application | Apache | Tomcat | 7.0.27 | All | All | All |
| Application | Apache | Tomcat | 7.0.28 | All | All | All |
| Application | Apache | Tomcat | 7.0.29 | All | All | All |
| Application | Apache | Tomcat | 7.0.30 | All | All | All |
| Application | Apache | Tomcat | 7.0.32 | All | All | All |
| Application | Apache | Tomcat | 7.0.33 | All | All | All |
| Application | Apache | Tomcat | 7.0.34 | All | All | All |
| Application | Apache | Tomcat | 7.0.35 | All | All | All |
| Application | Apache | Tomcat | 7.0.37 | All | All | All |
| Application | Apache | Tomcat | 7.0.39 | All | All | All |
| Application | Apache | Tomcat | 7.0.4 | All | All | All |
| Application | Apache | Tomcat | 7.0.4 | beta | All | All |
| Application | Apache | Tomcat | 7.0.40 | All | All | All |
| Application | Apache | Tomcat | 7.0.41 | All | All | All |
| Application | Apache | Tomcat | 7.0.42 | All | All | All |
| Application | Apache | Tomcat | 7.0.47 | All | All | All |
| Application | Apache | Tomcat | 7.0.5 | All | All | All |
| Application | Apache | Tomcat | 7.0.5 | beta | All | All |
| Application | Apache | Tomcat | 7.0.50 | All | All | All |
| Application | Apache | Tomcat | 7.0.52 | All | All | All |
| Application | Apache | Tomcat | 7.0.53 | All | All | All |
| Application | Apache | Tomcat | 7.0.54 | All | All | All |
| Application | Apache | Tomcat | 7.0.55 | All | All | All |
| Application | Apache | Tomcat | 7.0.56 | All | All | All |
| Application | Apache | Tomcat | 7.0.57 | All | All | All |
| Application | Apache | Tomcat | 7.0.59 | All | All | All |
| Application | Apache | Tomcat | 7.0.6 | All | All | All |
| Application | Apache | Tomcat | 7.0.61 | All | All | All |
| Application | Apache | Tomcat | 7.0.62 | All | All | All |
| Application | Apache | Tomcat | 7.0.63 | All | All | All |
| Application | Apache | Tomcat | 7.0.64 | All | All | All |
| Application | Apache | Tomcat | 7.0.65 | All | All | All |
| Application | Apache | Tomcat | 7.0.67 | All | All | All |
| Application | Apache | Tomcat | 7.0.68 | All | All | All |
| Application | Apache | Tomcat | 7.0.69 | All | All | All |
| Application | Apache | Tomcat | 7.0.8 | All | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc1 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc10 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc2 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc5 | All | All |
| Application | Apache | Tomcat | 8.0.1 | All | All | All |
| Application | Apache | Tomcat | 8.0.11 | All | All | All |
| Application | Apache | Tomcat | 8.0.12 | All | All | All |
| Application | Apache | Tomcat | 8.0.14 | All | All | All |
| Application | Apache | Tomcat | 8.0.15 | All | All | All |
| Application | Apache | Tomcat | 8.0.17 | All | All | All |
| Application | Apache | Tomcat | 8.0.18 | All | All | All |
| Application | Apache | Tomcat | 8.0.20 | All | All | All |
| Application | Apache | Tomcat | 8.0.21 | All | All | All |
| Application | Apache | Tomcat | 8.0.22 | All | All | All |
| Application | Apache | Tomcat | 8.0.23 | All | All | All |
| Application | Apache | Tomcat | 8.0.24 | All | All | All |
| Application | Apache | Tomcat | 8.0.26 | All | All | All |
| Application | Apache | Tomcat | 8.0.27 | All | All | All |
| Application | Apache | Tomcat | 8.0.28 | All | All | All |
| Application | Apache | Tomcat | 8.0.29 | All | All | All |
| Application | Apache | Tomcat | 8.0.3 | All | All | All |
| Application | Apache | Tomcat | 8.0.30 | All | All | All |
| Application | Apache | Tomcat | 8.0.32 | All | All | All |
| Application | Apache | Tomcat | 8.0.33 | All | All | All |
| Application | Apache | Tomcat | 8.0.35 | All | All | All |
| Application | Apache | Tomcat | 8.0.5 | All | All | All |
| Application | Apache | Tomcat | 8.0.8 | All | All | All |
| Application | Apache | Tomcat | 8.5.0 | All | All | All |
| Application | Apache | Tomcat | 8.5.2 | All | All | All |
| Application | Apache | Tomcat | 9.0.0 | m1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 7.0.0 | All | All | All |
| Application | Apache | Tomcat | 7.0.0 | beta | All | All |
| Application | Apache | Tomcat | 7.0.1 | All | All | All |
| Application | Apache | Tomcat | 7.0.10 | All | All | All |
| Application | Apache | Tomcat | 7.0.11 | All | All | All |
| Application | Apache | Tomcat | 7.0.12 | All | All | All |
| Application | Apache | Tomcat | 7.0.14 | All | All | All |
| Application | Apache | Tomcat | 7.0.16 | All | All | All |
| Application | Apache | Tomcat | 7.0.19 | All | All | All |
| Application | Apache | Tomcat | 7.0.2 | All | All | All |
| Application | Apache | Tomcat | 7.0.2 | beta | All | All |
| Application | Apache | Tomcat | 7.0.20 | All | All | All |
| Application | Apache | Tomcat | 7.0.21 | All | All | All |
| Application | Apache | Tomcat | 7.0.22 | All | All | All |
| Application | Apache | Tomcat | 7.0.23 | All | All | All |
| Application | Apache | Tomcat | 7.0.25 | All | All | All |
| Application | Apache | Tomcat | 7.0.26 | All | All | All |
| Application | Apache | Tomcat | 7.0.27 | All | All | All |
| Application | Apache | Tomcat | 7.0.28 | All | All | All |
| Application | Apache | Tomcat | 7.0.29 | All | All | All |
| Application | Apache | Tomcat | 7.0.30 | All | All | All |
| Application | Apache | Tomcat | 7.0.32 | All | All | All |
| Application | Apache | Tomcat | 7.0.33 | All | All | All |
| Application | Apache | Tomcat | 7.0.34 | All | All | All |
| Application | Apache | Tomcat | 7.0.35 | All | All | All |
| Application | Apache | Tomcat | 7.0.37 | All | All | All |
| Application | Apache | Tomcat | 7.0.39 | All | All | All |
| Application | Apache | Tomcat | 7.0.4 | All | All | All |
| Application | Apache | Tomcat | 7.0.4 | beta | All | All |
| Application | Apache | Tomcat | 7.0.40 | All | All | All |
| Application | Apache | Tomcat | 7.0.41 | All | All | All |
| Application | Apache | Tomcat | 7.0.42 | All | All | All |
| Application | Apache | Tomcat | 7.0.47 | All | All | All |
| Application | Apache | Tomcat | 7.0.5 | All | All | All |
| Application | Apache | Tomcat | 7.0.5 | beta | All | All |
| Application | Apache | Tomcat | 7.0.50 | All | All | All |
| Application | Apache | Tomcat | 7.0.52 | All | All | All |
| Application | Apache | Tomcat | 7.0.53 | All | All | All |
| Application | Apache | Tomcat | 7.0.54 | All | All | All |
| Application | Apache | Tomcat | 7.0.55 | All | All | All |
| Application | Apache | Tomcat | 7.0.56 | All | All | All |
| Application | Apache | Tomcat | 7.0.57 | All | All | All |
| Application | Apache | Tomcat | 7.0.59 | All | All | All |
| Application | Apache | Tomcat | 7.0.6 | All | All | All |
| Application | Apache | Tomcat | 7.0.61 | All | All | All |
| Application | Apache | Tomcat | 7.0.62 | All | All | All |
| Application | Apache | Tomcat | 7.0.63 | All | All | All |
| Application | Apache | Tomcat | 7.0.64 | All | All | All |
| Application | Apache | Tomcat | 7.0.65 | All | All | All |
| Application | Apache | Tomcat | 7.0.67 | All | All | All |
| Application | Apache | Tomcat | 7.0.68 | All | All | All |
| Application | Apache | Tomcat | 7.0.69 | All | All | All |
| Application | Apache | Tomcat | 7.0.8 | All | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc1 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc10 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc2 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc5 | All | All |
| Application | Apache | Tomcat | 8.0.1 | All | All | All |
| Application | Apache | Tomcat | 8.0.11 | All | All | All |
| Application | Apache | Tomcat | 8.0.12 | All | All | All |
| Application | Apache | Tomcat | 8.0.14 | All | All | All |
| Application | Apache | Tomcat | 8.0.15 | All | All | All |
| Application | Apache | Tomcat | 8.0.17 | All | All | All |
| Application | Apache | Tomcat | 8.0.18 | All | All | All |
| Application | Apache | Tomcat | 8.0.20 | All | All | All |
| Application | Apache | Tomcat | 8.0.21 | All | All | All |
| Application | Apache | Tomcat | 8.0.22 | All | All | All |
| Application | Apache | Tomcat | 8.0.23 | All | All | All |
| Application | Apache | Tomcat | 8.0.24 | All | All | All |
| Application | Apache | Tomcat | 8.0.26 | All | All | All |
| Application | Apache | Tomcat | 8.0.27 | All | All | All |
| Application | Apache | Tomcat | 8.0.28 | All | All | All |
| Application | Apache | Tomcat | 8.0.29 | All | All | All |
| Application | Apache | Tomcat | 8.0.3 | All | All | All |
| Application | Apache | Tomcat | 8.0.30 | All | All | All |
| Application | Apache | Tomcat | 8.0.32 | All | All | All |
| Application | Apache | Tomcat | 8.0.33 | All | All | All |
| Application | Apache | Tomcat | 8.0.35 | All | All | All |
| Application | Apache | Tomcat | 8.0.5 | All | All | All |
| Application | Apache | Tomcat | 8.0.8 | All | All | All |
| Application | Apache | Tomcat | 8.5.0 | All | All | All |
| Application | Apache | Tomcat | 8.5.2 | All | All | All |
| Application | Apache | Tomcat | 9.0.0 | m1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m6 | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Application | Hp | Icewall Identity Manager | 5.0 | All | All | All |
| Application | Hp | Icewall Identity Manager | 5.0 | All | All | All |
| Application | Hp | Icewall Sso Agent Option | 10.0 | All | All | All |
| Application | Hp | Icewall Sso Agent Option | 10.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| [Apache-SVN] Revision 1743480 | CONFIRM | svn.apache.org | |
| HPE Intelligent Management Center (iMC) PLAT Lets Remote Users Deny Service - SecurityTracker | SECTRACK | www.securitytracker.com | |
| Debian -- Security Information -- DSA-3611-1 libcommons-fileupload-java | DEBIAN | www.debian.org | Third Party Advisory |
| [Apache-SVN] Revision 1743722 | CONFIRM | svn.apache.org | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| JVN#89379547: Apache Commons FileUpload vulnerable to denial-of-service (DoS) | JVN | jvn.jp | Vendor Advisory |
| Document Display | HPE Support Center | CONFIRM | h20566.www2.hpe.com | |
| [Apache-SVN] Revision 1743738 | CONFIRM | svn.apache.org | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Debian -- Security Information -- DSA-3609-1 tomcat8 | DEBIAN | www.debian.org | Third Party Advisory |
| November 2017 Apache Commons FileUpload Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| CPU July 2018 | CONFIRM | www.oracle.com | |
| Oracle Critical Patch Update - April 2018 | CONFIRM | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Apache Commons FileUpload CVE-2016-3092 Denial Of Service Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Document Display | HPE Support Center | CONFIRM | h20566.www2.hpe.com | Patch, Permissions Required, Third Party Advisory |
| USN-3027-1: Tomcat vulnerability | Ubuntu | UBUNTU | www.ubuntu.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| JVNDB-2016-000121 | JVNDB | jvndb.jvn.jp | VDB Entry, Vendor Advisory |
| HPE IceWall Identity Manager and HPE IceWall SSO Password Reset Option Lets Remote Users Deny Service - SecurityTracker | SECTRACK | www.securitytracker.com | |
| USN-3024-1: Tomcat vulnerabilities | Ubuntu | UBUNTU | www.ubuntu.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| 1349468 – (CVE-2016-3092) CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service | CONFIRM | bugzilla.redhat.com | Issue Tracking |
| openSUSE-SU-2016:2252-1: moderate: Security update for tomcat | SUSE | lists.opensuse.org | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Debian -- Security Information -- DSA-3614-1 tomcat7 | DEBIAN | www.debian.org | Third Party Advisory |
| Red Hat JBoss Enterprise Application Platform Fileupload Component Lets Remote Users Consume Excessive CPU Resources on the Target System - SecurityTracker | SECTRACK | www.securitytracker.com | |
| Pony Mail! | lists.apache.org | ||
| Sun GlassFish Enterprise Server Flaws Let Remote Users Access and Modify Data and Deny Service - SecurityTracker | SECTRACK | www.securitytracker.com | |
| Apache Commons FileUpload: Multiple vulnerabilities (GLSA 202107-39) — Gentoo security | GENTOO | security.gentoo.org | |
| CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability | MLIST | mail-archives.apache.org | Mailing List |
| Document Display | HPE Support Center | CONFIRM | h20566.www2.hpe.com | |
| Apache Tomcat® - Apache Tomcat 7 vulnerabilities | CONFIRM | tomcat.apache.org | Vendor Advisory |
| [Apache-SVN] Revision 1743742 | CONFIRM | svn.apache.org | Vendor Advisory |
| Apache Tomcat® - Apache Tomcat 8 vulnerabilities | CONFIRM | tomcat.apache.org | Vendor Advisory |
| Apache Tomcat: Multiple vulnerabilities (GLSA 201705-09) — Gentoo Security | GENTOO | security.gentoo.org | |
| Oracle Critical Patch Update Advisory - April 2020 | N/A | www.oracle.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Oracle Critical Patch Update - July 2017 | CONFIRM | www.oracle.com | |
| Oracle Critical Patch Update - October 2017 | CONFIRM | www.oracle.com | |
| Apache Tomcat - Apache Tomcat 8 vulnerabilities | CONFIRM | tomcat.apache.org | Vendor Advisory |
| Oracle Critical Patch Update Advisory - April 2019 | MISC | www.oracle.com | |
| Oracle Solaris Bulletin - July 2016 | CONFIRM | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 710049 Gentoo Linux Apache Commons FileUpload Multiple Vulnerabilities (GLSA 202107-39)
- 753773 SUSE Enterprise Linux Security Update for jakarta-commons-fileupload (SUSE-SU-2023:0730-1)
- 753805 SUSE Enterprise Linux Security Update for jakarta-commons-fileupload (SUSE-SU-2023:0758-1)
- 982000 Java (maven) Security Update for commons-fileupload:commons-fileupload (GHSA-fvm3-cfvj-gxqq)