CVE-2016-3092

high

Description

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

References

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://security.netapp.com/advisory/ntap-20190212-0001/

https://security.gentoo.org/glsa/202107-39

https://security.gentoo.org/glsa/201705-09

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371

https://bugzilla.redhat.com/show_bug.cgi?id=1349468

https://access.redhat.com/errata/RHSA-2017:0456

https://access.redhat.com/errata/RHSA-2017:0455

http://www.ubuntu.com/usn/USN-3027-1

http://www.ubuntu.com/usn/USN-3024-1

http://www.securitytracker.com/id/1039606

http://www.securitytracker.com/id/1037029

http://www.securitytracker.com/id/1036900

http://www.securitytracker.com/id/1036427

http://www.securityfocus.com/bid/91453

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.debian.org/security/2016/dsa-3614

http://www.debian.org/security/2016/dsa-3611

http://www.debian.org/security/2016/dsa-3609

http://tomcat.apache.org/security-9.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-7.html

http://svn.apache.org/viewvc?view=revision&revision=1743742

http://svn.apache.org/viewvc?view=revision&revision=1743738

http://svn.apache.org/viewvc?view=revision&revision=1743722

http://svn.apache.org/viewvc?view=revision&revision=1743480

http://rhn.redhat.com/errata/RHSA-2017-0457.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2599.html

http://rhn.redhat.com/errata/RHSA-2016-2072.html

http://rhn.redhat.com/errata/RHSA-2016-2071.html

http://rhn.redhat.com/errata/RHSA-2016-2070.html

http://rhn.redhat.com/errata/RHSA-2016-2069.html

http://rhn.redhat.com/errata/RHSA-2016-2068.html

http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E

http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html

http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121

http://jvn.jp/en/jp/JVN89379547/index.html

Details

Source: Mitre, NVD

Published: 2016-07-04

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High