{"id":"CVE-2016-3092","details":"The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.","aliases":["GHSA-fvm3-cfvj-gxqq"],"modified":"2026-07-08T05:48:26.794926865Z","published":"2016-07-04T22:59:04.303Z","related":["SUSE-SU-2016:2188-1","SUSE-SU-2017:1660-1","SUSE-SU-2023:0730-1","SUSE-SU-2023:0758-1","openSUSE-SU-2024:10446-1","openSUSE-SU-2024:13441-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"8.0.0-rc1"},{"last_affected":"8.0.0-rc1"},{"introduced":"8.0.0-rc10"},{"last_affected":"8.0.0-rc10"},{"introduced":"8.0.0-rc2"},{"last_affected":"8.0.0-rc2"},{"introduced":"8.0.0-rc5"},{"last_affected":"8.0.0-rc5"},{"introduced":"8.0.1"},{"last_affected":"8.0.1"},{"introduced":"8.0.3"},{"last_affected":"8.0.3"},{"introduced":"8.0.5"},{"last_affected":"8.0.5"},{"introduced":"8.0.8"},{"last_affected":"8.0.8"},{"introduced":"8.0.11"},{"last_affected":"8.0.11"},{"introduced":"8.0.12"},{"last_affected":"8.0.12"},{"introduced":"8.0.14"},{"last_affected":"8.0.14"},{"introduced":"8.0.15"},{"last_affected":"8.0.15"},{"introduced":"8.0.17"},{"last_affected":"8.0.17"},{"introduced":"8.0.18"},{"last_affected":"8.0.18"},{"introduced":"8.0.20"},{"last_affected":"8.0.20"},{"introduced":"8.0.21"},{"last_affected":"8.0.21"},{"introduced":"8.0.22"},{"last_affected":"8.0.22"},{"introduced":"8.0.23"},{"last_affected":"8.0.23"},{"introduced":"8.0.24"},{"last_affected":"8.0.24"},{"introduced":"8.0.26"},{"last_affected":"8.0.26"},{"introduced":"8.0.27"},{"last_affected":"8.0.27"},{"introduced":"8.0.28"},{"last_affected":"8.0.28"},{"introduced":"8.0.29"},{"last_affected":"8.0.29"},{"introduced":"8.0.30"},{"last_affected":"8.0.30"},{"introduced":"8.0.32"},{"last_affected":"8.0.32"},{"introduced":"8.0.33"},{"last_affected":"8.0.33"},{"introduced":"8.0.35"},{"last_affected":"8.0.35"},{"introduced":"7.0.0-beta"},{"last_affected":"7.0.0-beta"},{"introduced":"7.0.2-beta"},{"last_affected":"7.0.2-beta"},{"introduced":"7.0.4-beta"},{"last_affected":"7.0.4-beta"},{"introduced":"7.0.5-beta"},{"last_affected":"7.0.5-beta"}],"source":"CPE_STRING","cpes":["cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*"],"vendor_product":"apache:tomcat"},{"extracted_events":[{"introduced":"12.04"},{"last_affected":"12.04"},{"introduced":"14.04"},{"last_affected":"14.04"},{"introduced":"15.10"},{"last_affected":"15.10"},{"introduced":"16.04"},{"last_affected":"16.04"}],"source":"CPE_STRING","cpes":["cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"],"vendor_product":"canonical:ubuntu_linux"},{"extracted_events":[{"introduced":"8.0"},{"last_affected":"8.0"}],"source":"CPE_STRING","cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux"},{"extracted_events":[{"introduced":"5.0"},{"last_affected":"5.0"}],"source":"CPE_STRING","cpes":["cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:*"],"vendor_product":"hp:icewall_identity_manager"},{"extracted_events":[{"introduced":"10.0"},{"last_affected":"10.0"}],"cpes":["cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"hp:icewall_sso_agent_option"}]},"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html"},{"type":"WEB","url":"http://svn.apache.org/viewvc?view=revision&revision=1743480"},{"type":"WEB","url":"http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"},{"type":"WEB","url":"http://www.securitytracker.com/id/1036427"},{"type":"WEB","url":"http://www.securitytracker.com/id/1036900"},{"type":"WEB","url":"http://www.securitytracker.com/id/1037029"},{"type":"WEB","url":"http://www.securitytracker.com/id/1039606"},{"type":"WEB","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840"},{"type":"WEB","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759"},{"type":"WEB","url":"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"ADVISORY","url":"http://jvn.jp/en/jp/JVN89379547/index.html"},{"type":"ADVISORY","url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2068.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2069.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2070.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2071.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2072.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2599.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2807.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2808.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0457.html"},{"type":"ADVISORY","url":"http://svn.apache.org/viewvc?view=revision&revision=1743722"},{"type":"ADVISORY","url":"http://svn.apache.org/viewvc?view=revision&revision=1743738"},{"type":"ADVISORY","url":"http://svn.apache.org/viewvc?view=revision&revision=1743742"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-7.html"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-8.html"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-9.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3609"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3611"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3614"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91453"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3024-1"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3027-1"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:0455"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:0456"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201705-09"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202107-39"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190212-0001/"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1349468"},{"type":"FIX","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371"},{"type":"ARTICLE","url":"http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/commons-fileupload","events":[{"introduced":"0"},{"last_affected":"e19f0d04ff9d28e5e0d7bc6a4e98b6f04cec6bf8"}],"database_specific":{"cpe":"cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"1.3.1"}],"source":"CPE_RANGE"}}],"versions":["FILEUPLOAD_1_3_1","FILEUPLOAD_1_3_1_RC1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3092.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"29b07def810d335012e738b22ab44d4e232b50d1"},{"last_affected":"0b2140180148548e012498e2d7c074fb9d208beb"}],"database_specific":{"cpe":["cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"9.0.0-milestone1"},{"last_affected":"9.0.0-milestone1"},{"introduced":"9.0.0-milestone3"},{"last_affected":"9.0.0-milestone3"},{"introduced":"9.0.0-milestone4"},{"last_affected":"9.0.0-milestone4"},{"introduced":"9.0.0-milestone6"},{"last_affected":"9.0.0-milestone6"},{"introduced":"8.5.0"},{"last_affected":"8.5.0"},{"introduced":"8.5.2"},{"last_affected":"8.5.2"},{"introduced":"7.0.0"},{"last_affected":"7.0.0"},{"introduced":"7.0.1"},{"last_affected":"7.0.1"},{"introduced":"7.0.2"},{"last_affected":"7.0.2"},{"introduced":"7.0.4"},{"last_affected":"7.0.4"},{"introduced":"7.0.5"},{"last_affected":"7.0.5"},{"introduced":"7.0.6"},{"last_affected":"7.0.6"},{"introduced":"7.0.8"},{"last_affected":"7.0.8"},{"introduced":"7.0.10"},{"last_affected":"7.0.10"},{"introduced":"7.0.11"},{"last_affected":"7.0.11"},{"introduced":"7.0.12"},{"last_affected":"7.0.12"},{"introduced":"7.0.14"},{"last_affected":"7.0.14"},{"introduced":"7.0.16"},{"last_affected":"7.0.16"},{"introduced":"7.0.19"},{"last_affected":"7.0.19"},{"introduced":"7.0.20"},{"last_affected":"7.0.20"},{"introduced":"7.0.21"},{"last_affected":"7.0.21"},{"introduced":"7.0.22"},{"last_affected":"7.0.22"},{"introduced":"7.0.23"},{"last_affected":"7.0.23"},{"introduced":"7.0.25"},{"last_affected":"7.0.25"},{"introduced":"7.0.26"},{"last_affected":"7.0.26"},{"introduced":"7.0.27"},{"last_affected":"7.0.27"},{"introduced":"7.0.28"},{"last_affected":"7.0.28"},{"introduced":"7.0.29"},{"last_affected":"7.0.29"},{"introduced":"7.0.30"},{"last_affected":"7.0.30"},{"introduced":"7.0.32"},{"last_affected":"7.0.32"},{"introduced":"7.0.33"},{"last_affected":"7.0.33"},{"introduced":"7.0.34"},{"last_affected":"7.0.34"},{"introduced":"7.0.35"},{"last_affected":"7.0.35"},{"introduced":"7.0.37"},{"last_affected":"7.0.37"},{"introduced":"7.0.39"},{"last_affected":"7.0.39"},{"introduced":"7.0.40"},{"last_affected":"7.0.40"},{"introduced":"7.0.41"},{"last_affected":"7.0.41"},{"introduced":"7.0.42"},{"last_affected":"7.0.42"},{"introduced":"7.0.47"},{"last_affected":"7.0.47"},{"introduced":"7.0.50"},{"last_affected":"7.0.50"},{"introduced":"7.0.52"},{"last_affected":"7.0.52"},{"introduced":"7.0.53"},{"last_affected":"7.0.53"},{"introduced":"7.0.54"},{"last_affected":"7.0.54"},{"introduced":"7.0.55"},{"last_affected":"7.0.55"},{"introduced":"7.0.56"},{"last_affected":"7.0.56"},{"introduced":"7.0.57"},{"last_affected":"7.0.57"},{"introduced":"7.0.59"},{"last_affected":"7.0.59"},{"introduced":"7.0.61"},{"last_affected":"7.0.61"},{"introduced":"7.0.62"},{"last_affected":"7.0.62"},{"introduced":"7.0.63"},{"last_affected":"7.0.63"},{"introduced":"7.0.64"},{"last_affected":"7.0.64"},{"introduced":"7.0.65"},{"last_affected":"7.0.65"},{"introduced":"7.0.67"},{"last_affected":"7.0.67"},{"introduced":"7.0.68"},{"last_affected":"7.0.68"},{"introduced":"7.0.69"},{"last_affected":"7.0.69"}],"source":"CPE_STRING"}}],"versions":["7.0.0","7.0.1","7.0.10","7.0.11","7.0.12","7.0.14","7.0.16","7.0.19","7.0.2","7.0.20","7.0.21","7.0.22","7.0.23","7.0.25","7.0.26","7.0.27","7.0.28","7.0.29","7.0.30","7.0.32","7.0.33","7.0.34","7.0.35","7.0.37","7.0.39","7.0.4","7.0.40","7.0.41","7.0.42","7.0.47","7.0.5","7.0.50","7.0.52","7.0.53","7.0.54","7.0.55","7.0.56","7.0.57","7.0.59","7.0.6","7.0.61","7.0.62","7.0.63","7.0.64","7.0.65","7.0.67","7.0.68","7.0.69","7.0.8","8.5.0","8.5.2","9.0.0-milestone1","9.0.0-milestone3","9.0.0-milestone4","9.0.0-milestone6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3092.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}