CVE-2016-3092

CVSS V2 High 7.8 CVSS V3 High 7.5
Description
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Overview
  • CVE ID
  • CVE-2016-3092
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2016-07-04T22:59:04
  • Last Modified Date
  • 2021-07-17T08:15:07
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:* 1 OR 1.3.1
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:N/I:N/A:C
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • NONE
  • Availability Impact
  • COMPLETE
  • Base Score
  • 7.8
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.9
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • HIGH
  • Base Score
  • 7.5
  • Base Severity
  • HIGH
  • Exploitability Score
  • 3.9
  • Impact Score
  • 3.6
References
Reference URL Reference Tags
https://bugzilla.redhat.com/show_bug.cgi?id=1349468 Issue Tracking
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121 VDB Entry Vendor Advisory
http://svn.apache.org/viewvc?view=revision&revision=1743480
http://svn.apache.org/viewvc?view=revision&revision=1743738 Vendor Advisory
http://tomcat.apache.org/security-8.html Vendor Advisory
http://tomcat.apache.org/security-9.html Vendor Advisory
http://tomcat.apache.org/security-7.html Vendor Advisory
http://jvn.jp/en/jp/JVN89379547/index.html Vendor Advisory
http://svn.apache.org/viewvc?view=revision&revision=1743722 Vendor Advisory
http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E Mailing List
http://svn.apache.org/viewvc?view=revision&revision=1743742 Vendor Advisory
http://www.debian.org/security/2016/dsa-3614 Third Party Advisory
http://www.ubuntu.com/usn/USN-3027-1 Third Party Advisory
http://www.debian.org/security/2016/dsa-3611 Third Party Advisory
http://www.debian.org/security/2016/dsa-3609 Third Party Advisory
http://www.ubuntu.com/usn/USN-3024-1 Third Party Advisory
http://www.securityfocus.com/bid/91453 Third Party Advisory VDB Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371 Patch Permissions Required Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
https://security.gentoo.org/glsa/201705-09
http://www.securitytracker.com/id/1037029
http://www.securitytracker.com/id/1036900
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.securitytracker.com/id/1036427
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securitytracker.com/id/1039606
https://access.redhat.com/errata/RHSA-2017:0456
https://access.redhat.com/errata/RHSA-2017:0455
http://rhn.redhat.com/errata/RHSA-2017-0457.html
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
http://rhn.redhat.com/errata/RHSA-2016-2072.html
http://rhn.redhat.com/errata/RHSA-2016-2071.html
http://rhn.redhat.com/errata/RHSA-2016-2070.html
http://rhn.redhat.com/errata/RHSA-2016-2069.html
http://rhn.redhat.com/errata/RHSA-2016-2068.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://security.netapp.com/advisory/ntap-20190212-0001/
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
https://www.oracle.com/security-alerts/cpuapr2020.html
https://security.gentoo.org/glsa/202107-39
History
Created Old Value New Value Data Type Notes
2022-05-10 07:06:36 Added to TrackCVE
2022-12-02 10:11:10 2016-07-04T22:59Z 2016-07-04T22:59:04 CVE Published Date updated
2022-12-02 10:11:10 2021-07-17T08:15:07 CVE Modified Date updated
2022-12-02 10:11:10 Modified Vulnerability Status updated