CVE-2016-3092
Summary
| CVE | CVE-2016-3092 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-07-04 22:59:04 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. |
Risk And Classification
Primary CVSS: v3.0 7.5 HIGH from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-20 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 2.0 | [email protected] | Primary | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
NoneIntegrity
NoneAvailability
CompleteAV:N/AC:L/Au:N/C:N/I:N/A:C
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Commons Fileupload | All | All | All | All |
| Application | Apache | Tomcat | 7.0.0 | All | All | All |
| Application | Apache | Tomcat | 7.0.0 | beta | All | All |
| Application | Apache | Tomcat | 7.0.1 | All | All | All |
| Application | Apache | Tomcat | 7.0.10 | All | All | All |
| Application | Apache | Tomcat | 7.0.11 | All | All | All |
| Application | Apache | Tomcat | 7.0.12 | All | All | All |
| Application | Apache | Tomcat | 7.0.14 | All | All | All |
| Application | Apache | Tomcat | 7.0.16 | All | All | All |
| Application | Apache | Tomcat | 7.0.19 | All | All | All |
| Application | Apache | Tomcat | 7.0.2 | All | All | All |
| Application | Apache | Tomcat | 7.0.2 | beta | All | All |
| Application | Apache | Tomcat | 7.0.20 | All | All | All |
| Application | Apache | Tomcat | 7.0.21 | All | All | All |
| Application | Apache | Tomcat | 7.0.22 | All | All | All |
| Application | Apache | Tomcat | 7.0.23 | All | All | All |
| Application | Apache | Tomcat | 7.0.25 | All | All | All |
| Application | Apache | Tomcat | 7.0.26 | All | All | All |
| Application | Apache | Tomcat | 7.0.27 | All | All | All |
| Application | Apache | Tomcat | 7.0.28 | All | All | All |
| Application | Apache | Tomcat | 7.0.29 | All | All | All |
| Application | Apache | Tomcat | 7.0.30 | All | All | All |
| Application | Apache | Tomcat | 7.0.32 | All | All | All |
| Application | Apache | Tomcat | 7.0.33 | All | All | All |
| Application | Apache | Tomcat | 7.0.34 | All | All | All |
| Application | Apache | Tomcat | 7.0.35 | All | All | All |
| Application | Apache | Tomcat | 7.0.37 | All | All | All |
| Application | Apache | Tomcat | 7.0.39 | All | All | All |
| Application | Apache | Tomcat | 7.0.4 | All | All | All |
| Application | Apache | Tomcat | 7.0.4 | beta | All | All |
| Application | Apache | Tomcat | 7.0.40 | All | All | All |
| Application | Apache | Tomcat | 7.0.41 | All | All | All |
| Application | Apache | Tomcat | 7.0.42 | All | All | All |
| Application | Apache | Tomcat | 7.0.47 | All | All | All |
| Application | Apache | Tomcat | 7.0.5 | All | All | All |
| Application | Apache | Tomcat | 7.0.5 | beta | All | All |
| Application | Apache | Tomcat | 7.0.50 | All | All | All |
| Application | Apache | Tomcat | 7.0.52 | All | All | All |
| Application | Apache | Tomcat | 7.0.53 | All | All | All |
| Application | Apache | Tomcat | 7.0.54 | All | All | All |
| Application | Apache | Tomcat | 7.0.55 | All | All | All |
| Application | Apache | Tomcat | 7.0.56 | All | All | All |
| Application | Apache | Tomcat | 7.0.57 | All | All | All |
| Application | Apache | Tomcat | 7.0.59 | All | All | All |
| Application | Apache | Tomcat | 7.0.6 | All | All | All |
| Application | Apache | Tomcat | 7.0.61 | All | All | All |
| Application | Apache | Tomcat | 7.0.62 | All | All | All |
| Application | Apache | Tomcat | 7.0.63 | All | All | All |
| Application | Apache | Tomcat | 7.0.64 | All | All | All |
| Application | Apache | Tomcat | 7.0.65 | All | All | All |
| Application | Apache | Tomcat | 7.0.67 | All | All | All |
| Application | Apache | Tomcat | 7.0.68 | All | All | All |
| Application | Apache | Tomcat | 7.0.69 | All | All | All |
| Application | Apache | Tomcat | 7.0.8 | All | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc1 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc10 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc2 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc5 | All | All |
| Application | Apache | Tomcat | 8.0.1 | All | All | All |
| Application | Apache | Tomcat | 8.0.11 | All | All | All |
| Application | Apache | Tomcat | 8.0.12 | All | All | All |
| Application | Apache | Tomcat | 8.0.14 | All | All | All |
| Application | Apache | Tomcat | 8.0.15 | All | All | All |
| Application | Apache | Tomcat | 8.0.17 | All | All | All |
| Application | Apache | Tomcat | 8.0.18 | All | All | All |
| Application | Apache | Tomcat | 8.0.20 | All | All | All |
| Application | Apache | Tomcat | 8.0.21 | All | All | All |
| Application | Apache | Tomcat | 8.0.22 | All | All | All |
| Application | Apache | Tomcat | 8.0.23 | All | All | All |
| Application | Apache | Tomcat | 8.0.24 | All | All | All |
| Application | Apache | Tomcat | 8.0.26 | All | All | All |
| Application | Apache | Tomcat | 8.0.27 | All | All | All |
| Application | Apache | Tomcat | 8.0.28 | All | All | All |
| Application | Apache | Tomcat | 8.0.29 | All | All | All |
| Application | Apache | Tomcat | 8.0.3 | All | All | All |
| Application | Apache | Tomcat | 8.0.30 | All | All | All |
| Application | Apache | Tomcat | 8.0.32 | All | All | All |
| Application | Apache | Tomcat | 8.0.33 | All | All | All |
| Application | Apache | Tomcat | 8.0.35 | All | All | All |
| Application | Apache | Tomcat | 8.0.5 | All | All | All |
| Application | Apache | Tomcat | 8.0.8 | All | All | All |
| Application | Apache | Tomcat | 8.5.0 | All | All | All |
| Application | Apache | Tomcat | 8.5.2 | All | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Application | Hp | Icewall Identity Manager | 5.0 | All | All | All |
| Application | Hp | Icewall Sso Agent Option | 10.0 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Commons FileUpload CVE-2016-3092 Denial Of Service Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Apache Commons FileUpload: Multiple vulnerabilities (GLSA 202107-39) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| HPE IceWall Identity Manager and HPE IceWall SSO Password Reset Option Lets Remote Users Deny Service - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| openSUSE-SU-2016:2252-1: moderate: Security update for tomcat | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| USN-3024-1: Tomcat vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | Third Party Advisory |
| [Apache-SVN] Revision 1743480 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | |
| Debian -- Security Information -- DSA-3611-1 libcommons-fileupload-java | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| Debian -- Security Information -- DSA-3609-1 tomcat8 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| November 2017 Apache Commons FileUpload Vulnerabilities in NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | |
| Apache Tomcat® - Apache Tomcat 8 vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | tomcat.apache.org | Vendor Advisory |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | |
| Debian -- Security Information -- DSA-3614-1 tomcat7 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| Red Hat JBoss Enterprise Application Platform Fileupload Component Lets Remote Users Consume Excessive CPU Resources on the Target System - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Apache Tomcat® - Apache Tomcat 7 vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | tomcat.apache.org | Vendor Advisory |
| JVN#89379547: Apache Commons FileUpload vulnerable to denial-of-service (DoS) | af854a3a-2127-422b-91ae-364da2661108 | jvn.jp | Vendor Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| 1349468 – (CVE-2016-3092) CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | Issue Tracking |
| jvndb.jvn.jp/jvndb/JVNDB-2016-000121 | af854a3a-2127-422b-91ae-364da2661108 | jvndb.jvn.jp | VDB Entry, Vendor Advisory |
| Sun GlassFish Enterprise Server Flaws Let Remote Users Access and Modify Data and Deny Service - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Oracle Critical Patch Update Advisory - April 2020 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability | af854a3a-2127-422b-91ae-364da2661108 | mail-archives.apache.org | Mailing List |
| [Apache-SVN] Revision 1743722 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Vendor Advisory |
| [Apache-SVN] Revision 1743742 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Vendor Advisory |
| Oracle Critical Patch Update - October 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| USN-3027-1: Tomcat vulnerability | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | Third Party Advisory |
| Oracle Solaris Bulletin - July 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| [Apache-SVN] Revision 1743738 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Vendor Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Apache Tomcat: Multiple vulnerabilities (GLSA 201705-09) — Gentoo Security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| Oracle Critical Patch Update - April 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| HPE Intelligent Management Center (iMC) PLAT Lets Remote Users Deny Service - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Oracle Critical Patch Update Advisory - April 2019 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| CPU July 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| Oracle Critical Patch Update - July 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Apache Tomcat - Apache Tomcat 8 vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | tomcat.apache.org | Vendor Advisory |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | Patch, Permissions Required, Third Party Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 710049 Gentoo Linux Apache Commons FileUpload Multiple Vulnerabilities (GLSA 202107-39)
- 753773 SUSE Enterprise Linux Security Update for jakarta-commons-fileupload (SUSE-SU-2023:0730-1)
- 753805 SUSE Enterprise Linux Security Update for jakarta-commons-fileupload (SUSE-SU-2023:0758-1)
- 982000 Java (maven) Security Update for commons-fileupload:commons-fileupload (GHSA-fvm3-cfvj-gxqq)