CVE-2016-3092

Description

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

How to fix CVE-2016-3092

To remediate CVE-2016-3092, upgrade the affected package to a fixed version below.

• —upgrade to 1.3.2-1 or later
• —upgrade to 1.2.2-1+deb7u3 or later
• —upgrade to 1.3.1-1+deb8u1 or later
• —upgrade to 7.0.28-4+deb7u5 or later
• —upgrade to 7.0.56-3+deb8u3 or later
• —upgrade to 1.3.2 or later

Is CVE-2016-3092 being exploited?

Moderate — EPSS is 40.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (6)

• from 0, < 1.3.2-1
• from 0, < 1.2.2-1+deb7u3
• from 0, < 1.3.1-1+deb8u1
• from 0, < 7.0.28-4+deb7u5
• from 0, < 7.0.56-3+deb8u3
• from 0, < 1.3.2

CVSS scores

References (55)

• ADVISORYgithub.com/advisories/GHSA-fvm3-cfvj-gxqq
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3092
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-3092
• WEBjvndb.jvn.jp/jvndb/JVNDB-2016-000121
• WEB