{"id":"CVE-2016-3092","details":"The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.","aliases":["GHSA-fvm3-cfvj-gxqq"],"modified":"2026-04-09T04:36:23.159156Z","published":"2016-07-04T22:59:04.303Z","related":["MGASA-2016-0260","SUSE-SU-2016:2188-1","SUSE-SU-2017:1660-1","SUSE-SU-2023:0730-1","SUSE-SU-2023:0758-1","openSUSE-SU-2024:10446-1","openSUSE-SU-2024:13441-1"],"references":[{"type":"WEB","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840"},{"type":"WEB","url":"http://www.securitytracker.com/id/1036900"},{"type":"WEB","url":"http://www.securitytracker.com/id/1037029"},{"type":"WEB","url":"http://www.securitytracker.com/id/1039606"},{"type":"WEB","url":"http://svn.apache.org/viewvc?view=revision&revision=1743480"},{"type":"WEB","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759"},{"type":"WEB","url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"},{"type":"WEB","url":"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"http://www.securitytracker.com/id/1036427"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2807.html"},{"type":"ADVISORY","url":"http://svn.apache.org/viewvc?view=revision&revision=1743742"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3609"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91453"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3027-1"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:0455"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3024-1"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2808.html"},{"type":"ADVISORY","url":"http://svn.apache.org/viewvc?view=revision&revision=1743722"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202107-39"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2069.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2071.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2072.html"},{"type":"ADVISORY","url":"http://svn.apache.org/viewvc?view=revision&revision=1743738"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3611"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:0456"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2068.html"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-9.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190212-0001/"},{"type":"ADVISORY","url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2070.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2599.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0457.html"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-8.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"},{"type":"ADVISORY","url":"http://jvn.jp/en/jp/JVN89379547/index.html"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-7.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3614"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201705-09"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1349468"},{"type":"FIX","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371"},{"type":"ARTICLE","url":"http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/commons-fileupload","events":[{"introduced":"0"},{"last_affected":"e19f0d04ff9d28e5e0d7bc6a4e98b6f04cec6bf8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.3.1"}]}},{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"0"},{"last_affected":"4c8b650437e2464c1c31c6598a263b3805b7a81f"},{"introduced":"0"},{"last_affected":"29b07def810d335012e738b22ab44d4e232b50d1"},{"introduced":"0"},{"last_affected":"d1dc05e934e089ea8907998cf850760017a0ed82"},{"introduced":"0"},{"last_affected":"fd7f13635e6855f6ba3fead0bf37ba2fbf8b68cf"},{"introduced":"0"},{"last_affected":"d8ebf61e51b4455e3c226751e492a533f9002d48"},{"introduced":"0"},{"last_affected":"e37b977db6f47e4380ad67114a49e8568951c953"},{"introduced":"0"},{"last_affected":"f5dffa6e1148080fe5dc3690df917e805c72a714"},{"introduced":"0"},{"last_affected":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"introduced":"0"},{"last_affected":"72a8a7c601a7bff56723650d5bb1e353d095af3d"},{"introduced":"0"},{"last_affected":"511d6f15e4254f3af12c75e5199b66448342eabf"},{"introduced":"0"},{"last_affected":"53728ececd4dc0134c2e17de849db53ce08219c9"},{"introduced":"0"},{"last_affected":"bc8b8705a9713cbd0232ab2d326d96ceb4aef1ad"},{"introduced":"0"},{"last_affected":"4a39288c6eab999452c72af9fd1a0c12b054ca9f"},{"introduced":"0"},{"last_affected":"04d13f45b4268945a0bee7a56fc4cf3782db0c71"},{"introduced":"0"},{"last_affected":"8b83cefaf2a454706f03f509944ca46103db4d13"},{"introduced":"0"},{"last_affected":"85cfeb746b8ea0d0e51cc4ced6053075f5460a36"},{"introduced":"0"},{"last_affected":"de47b464201769870a06764cdd5143a59cd95302"},{"introduced":"0"},{"last_affected":"c845090723d1118dbce1928f9468e1726b79c3b1"},{"introduced":"0"},{"last_affected":"9e0d31f12dbd5441097dbec493895ad4e07a6832"},{"introduced":"0"},{"last_affected":"892c777b9d5c051dc20aacfefc280ab02dbe2143"},{"introduced":"0"},{"last_affected":"eae5ead3864c4e2d528a874069828c6c12dee8a5"},{"introduced":"0"},{"last_affected":"ddd8de1c64ef852caca10ab876fed02cfe827ef1"},{"introduced":"0"},{"last_affected":"6e2c7f6227de95874c79f77bafe5ed26dfeb4021"},{"introduced":"0"},{"last_affected":"9f62bc56a0887353e58579153a30c64c5369efdb"},{"introduced":"0"},{"last_affected":"009cf0448025b6227b026e66f5351f0dcb3dd733"},{"introduced":"0"},{"last_affected":"68e114cf9fe0a83a888099c084b3036040afa518"},{"introduced":"0"},{"last_affected":"efa0e79f82f17880c0d7427918bc34a83243dfa6"},{"introduced":"0"},{"last_affected":"5e096bfd5a387f057766dc6b5217feae75b08331"},{"introduced":"0"},{"last_affected":"b7b373b84f1b80602ed62fb056be7c7ce429a15c"},{"introduced":"0"},{"last_affected":"86ecd2ad87b805992b9e4c2f2317feaab7a1e3fb"},{"introduced":"0"},{"last_affected":"7cfeba335a41dd3b0e423f12534e5936c461711c"},{"introduced":"0"},{"last_affected":"ba53773f48f31de787edb559db38e3e02d7efffd"},{"introduced":"0"},{"last_affected":"7e8629b4ff4152ae6285fa184745e9a1382ca440"},{"introduced":"0"},{"last_affected":"fec4a6d1d1f050401aec5c6a3bd0431850472d92"},{"introduced":"0"},{"last_affected":"3477614af783b612341fa6bc00c16b32d1791de8"},{"introduced":"0"},{"last_affected":"5f6f258107e7e463cce41187e13474f3c894693e"},{"introduced":"0"},{"last_affected":"2b858c0fce0db18ca733b161d7428f2cca214841"},{"introduced":"0"},{"last_affected":"1958059057715d26415839cabad78e685d4d02f1"},{"introduced":"0"},{"last_affected":"ad3da1182b0ed370ec233b925c69dcee826a9efe"},{"introduced":"0"},{"last_affected":"81d3e54a46de226a5a8f11bcc65195cddcc24f96"},{"introduced":"0"},{"last_affected":"d70fcee0390d1a82b108979d26a7a397a7418bc7"},{"introduced":"0"},{"last_affected":"1b734919fd5ee83a2905070dcbd6ffffff1beb63"},{"introduced":"0"},{"last_affected":"32583ea28061391c314a09a43fbee48c072940a9"},{"introduced":"0"},{"last_affected":"b7d6e626d03f61ccd6c92e8ea28df12e67d256e6"},{"introduced":"0"},{"last_affected":"47af1012111595546f31d9096a37a839f93caa62"},{"introduced":"0"},{"last_affected":"feaf3763fb37e4a9176ef46a2c80e34821077884"},{"introduced":"0"},{"last_affected":"30a7e7f7b48aa5f9f4a559635966d70901b5f51d"},{"introduced":"0"},{"last_affected":"be7e6137267298d6a7b1b3cd2cb1f3f605f9162b"},{"introduced":"0"},{"last_affected":"8d84136656655a20287cf2dac6ec7fd047979de5"},{"introduced":"0"},{"last_affected":"20bd21830dfe7864cac78acb1b7c825baa11bd85"},{"introduced":"0"},{"last_affected":"6b77b128188a5ed033da2998ff2f47f65aa4f7f8"},{"introduced":"0"},{"last_affected":"f6de6eb5445d266506fcf89d3962a622478c2c6c"},{"introduced":"0"},{"last_affected":"a6d2ed3eef40903b661d138ae7c8fbd9790d1928"},{"introduced":"0"},{"last_affected":"05e76dc1b6edcc2fa87d95de72a8a714267e462d"},{"introduced":"0"},{"last_affected":"e0ffdd2535a8cb102c62b5db41170625e9d1bf46"},{"introduced":"0"},{"last_affected":"0b2140180148548e012498e2d7c074fb9d208beb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"10.0"},{"introduced":"0"},{"last_affected":"9.0.0-milestone1"},{"introduced":"0"},{"last_affected":"9.0.0-milestone3"},{"introduced":"0"},{"last_affected":"9.0.0-milestone4"},{"introduced":"0"},{"last_affected":"9.0.0-milestone6"},{"introduced":"0"},{"last_affected":"8.5.0"},{"introduced":"0"},{"last_affected":"8.5.2"},{"introduced":"0"},{"last_affected":"7.0.0"},{"introduced":"0"},{"last_affected":"7.0.1"},{"introduced":"0"},{"last_affected":"7.0.2"},{"introduced":"0"},{"last_affected":"7.0.4"},{"introduced":"0"},{"last_affected":"7.0.5"},{"introduced":"0"},{"last_affected":"7.0.6"},{"introduced":"0"},{"last_affected":"7.0.8"},{"introduced":"0"},{"last_affected":"7.0.10"},{"introduced":"0"},{"last_affected":"7.0.11"},{"introduced":"0"},{"last_affected":"7.0.12"},{"introduced":"0"},{"last_affected":"7.0.14"},{"introduced":"0"},{"last_affected":"7.0.16"},{"introduced":"0"},{"last_affected":"7.0.19"},{"introduced":"0"},{"last_affected":"7.0.20"},{"introduced":"0"},{"last_affected":"7.0.21"},{"introduced":"0"},{"last_affected":"7.0.22"},{"introduced":"0"},{"last_affected":"7.0.23"},{"introduced":"0"},{"last_affected":"7.0.25"},{"introduced":"0"},{"last_affected":"7.0.26"},{"introduced":"0"},{"last_affected":"7.0.27"},{"introduced":"0"},{"last_affected":"7.0.28"},{"introduced":"0"},{"last_affected":"7.0.29"},{"introduced":"0"},{"last_affected":"7.0.30"},{"introduced":"0"},{"last_affected":"7.0.32"},{"introduced":"0"},{"last_affected":"7.0.33"},{"introduced":"0"},{"last_affected":"7.0.34"},{"introduced":"0"},{"last_affected":"7.0.35"},{"introduced":"0"},{"last_affected":"7.0.37"},{"introduced":"0"},{"last_affected":"7.0.39"},{"introduced":"0"},{"last_affected":"7.0.40"},{"introduced":"0"},{"last_affected":"7.0.41"},{"introduced":"0"},{"last_affected":"7.0.42"},{"introduced":"0"},{"last_affected":"7.0.47"},{"introduced":"0"},{"last_affected":"7.0.50"},{"introduced":"0"},{"last_affected":"7.0.52"},{"introduced":"0"},{"last_affected":"7.0.53"},{"introduced":"0"},{"last_affected":"7.0.54"},{"introduced":"0"},{"last_affected":"7.0.55"},{"introduced":"0"},{"last_affected":"7.0.56"},{"introduced":"0"},{"last_affected":"7.0.57"},{"introduced":"0"},{"last_affected":"7.0.59"},{"introduced":"0"},{"last_affected":"7.0.61"},{"introduced":"0"},{"last_affected":"7.0.62"},{"introduced":"0"},{"last_affected":"7.0.63"},{"introduced":"0"},{"last_affected":"7.0.64"},{"introduced":"0"},{"last_affected":"7.0.65"},{"introduced":"0"},{"last_affected":"7.0.67"},{"introduced":"0"},{"last_affected":"7.0.68"},{"introduced":"0"},{"last_affected":"7.0.69"}]}}],"versions":["10.0.0","7.0.0","7.0.1","7.0.10","7.0.11","7.0.12","7.0.14","7.0.16","7.0.19","7.0.2","7.0.20","7.0.21","7.0.22","7.0.23","7.0.25","7.0.26","7.0.27","7.0.28","7.0.29","7.0.30","7.0.32","7.0.33","7.0.34","7.0.35","7.0.37","7.0.39","7.0.4","7.0.40","7.0.41","7.0.42","7.0.47","7.0.5","7.0.50","7.0.52","7.0.53","7.0.54","7.0.55","7.0.56","7.0.57","7.0.59","7.0.6","7.0.61","7.0.62","7.0.63","7.0.64","7.0.65","7.0.67","7.0.68","7.0.69","7.0.8","8.5.0","8.5.2","9.0.0-M1","9.0.0-M3","9.0.0-M4","9.0.0-M6","FILEUPLOAD_1_3_1","FILEUPLOAD_1_3_1_RC1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-3092.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.0-rc10"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.0-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.0-rc5"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.5"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.8"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.11"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.12"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.14"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.15"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.17"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.18"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.20"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.21"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.22"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.23"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.24"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.26"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.27"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.28"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.29"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.30"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.32"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.33"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.35"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"15.10"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.0-beta"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.2-beta"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.4-beta"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.5-beta"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}