CVE-2016-3092

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption19 documents11 sources

Severity

7.5HIGH

EPSS

33.9%

top 3.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Commons Fileupload Apache Tomcat Canonical Ubuntu Linux +3 more

Timeline

PublishedJul 4

Latest updateMay 14

Description

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDapache/commons_fileupload1.3.1

▶NVDapache/tomcat76 versions+75

▶Mavencommons-fileupload:commons-fileupload< 1.3.2

▶Debianlibcommons-fileupload-java< 1.3.2-1+3

▶NVDhp/icewall_identity_manager5.0

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.10, 16.04

Patches

Patch: h20566.www2.hpe.com ↗Patch: h20566.www2.hpe.com ↗

🔴Vulnerability Details

GHSA

Improper Input Validation in Jenkins↗2022-05-14

▶

OSV

High severity vulnerability that affects commons-fileupload:commons-fileupload↗2018-12-21

▶

GHSA

High severity vulnerability that affects commons-fileupload:commons-fileupload↗2018-12-21

▶

CVEList

CVE-2016-3092: The MultipartStream class in Apache Commons Fileupload before 1↗2016-07-04

▶

OSV

CVE-2016-3092: The MultipartStream class in Apache Commons Fileupload before 1↗2016-07-04

▶

📋Vendor Advisories

Oracle

Oracle Oracle Knowledge Risk Matrix: Web Applications - InfoCenter (Apache Commons Fileupload) — CVE-2016-3092↗2020-04-15

▶

Jenkins

Jenkins Security Advisory 2017-10-11↗2017-10-11

▶

Red Hat

jenkins: Jenkins core bundled vulnerable version of the commons-fileupload library (SECURITY-490)↗2017-10-11

▶

Ubuntu

Tomcat vulnerability↗2016-07-06

▶

Ubuntu

Tomcat vulnerabilities↗2016-07-05

▶

💬Community

Bugzilla

CVE-2017-1000394 jenkins: Jenkins core bundled vulnerable version of the commons-fileupload library (SECURITY-490)↗2017-10-13

▶

Bugzilla

CVE-2015-5351 CVE-2016-0714 CVE-2016-0706 CVE-2015-5345 CVE-2015-5346 CVE-2016-0763 CVE-2016-3092 tomcat: multiple security vulnerabilities [epel-6]↗2016-07-01

▶

Bugzilla

CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service [fedora-all]↗2016-06-23

▶

Bugzilla

CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service↗2016-06-23

▶

Bugzilla

CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service [epel-6]↗2016-06-23

▶