CVE-2016-3092
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
High
0.043 Low
EPSS
Percentile
92.4%
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Affected configurations
References
jvn.jp/en/jp/JVN89379547/index.html
jvndb.jvn.jp/jvndb/JVNDB-2016-000121
lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E
rhn.redhat.com/errata/RHSA-2016-2068.html
rhn.redhat.com/errata/RHSA-2016-2069.html
rhn.redhat.com/errata/RHSA-2016-2070.html
rhn.redhat.com/errata/RHSA-2016-2071.html
rhn.redhat.com/errata/RHSA-2016-2072.html
rhn.redhat.com/errata/RHSA-2016-2599.html
rhn.redhat.com/errata/RHSA-2016-2807.html
rhn.redhat.com/errata/RHSA-2016-2808.html
rhn.redhat.com/errata/RHSA-2017-0457.html
svn.apache.org/viewvc?view=revision&revision=1743480
svn.apache.org/viewvc?view=revision&revision=1743722
svn.apache.org/viewvc?view=revision&revision=1743738
svn.apache.org/viewvc?view=revision&revision=1743742
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html
tomcat.apache.org/security-9.html
www.debian.org/security/2016/dsa-3609
www.debian.org/security/2016/dsa-3611
www.debian.org/security/2016/dsa-3614
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
www.securityfocus.com/bid/91453
www.securitytracker.com/id/1036427
www.securitytracker.com/id/1036900
www.securitytracker.com/id/1037029
www.securitytracker.com/id/1039606
www.ubuntu.com/usn/USN-3024-1
www.ubuntu.com/usn/USN-3027-1
access.redhat.com/errata/RHSA-2017:0455
access.redhat.com/errata/RHSA-2017:0456
bugzilla.redhat.com/show_bug.cgi?id=1349468
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
security.gentoo.org/glsa/201705-09
security.gentoo.org/glsa/202107-39
security.netapp.com/advisory/ntap-20190212-0001/
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Related
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
High
0.043 Low
EPSS
Percentile
92.4%