PT-2016-2309 · Apache+6 · Apache Tomcat+7

Published

2016-06-13

·

Updated

2025-09-29

·

CVE-2016-3092

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache Commons Fileupload versions prior to 1.3.2 Apache Tomcat versions prior to 7.0.70 Apache Tomcat versions prior to 8.0.36 Apache Tomcat versions prior to 8.5.3 Apache Tomcat versions prior to 9.0.0.M7
Description The issue allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. This occurs due to insufficient input validation in the MultipartStream class. The denial of service vulnerability is identified when the length of the multipart boundary is just below the size of the buffer used to read the uploaded file, causing the file upload process to take significantly longer.
Recommendations For Apache Commons Fileupload versions prior to 1.3.2, update to version 1.3.2 or later. For Apache Tomcat versions prior to 7.0.70, update to version 7.0.70 or later. For Apache Tomcat versions prior to 8.0.36, update to version 8.0.36 or later. For Apache Tomcat versions prior to 8.5.3, update to version 8.5.3 or later. For Apache Tomcat versions prior to 9.0.0.M7, update to version 9.0.0.M7 or later.

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2016-3250
ALT-PU-2017-2558
BDU:2016-01698
CESA-2016_2599
CVE-2016-3092
DLA-528-1
DLA-529-1
DSA-3609-1
DSA-3611-1
DSA-3614-1
GHSA-FVM3-CFVJ-GXQQ
MGASA-2016-0260
OPENSUSE-SU-2024:10446-1
OPENSUSE-SU-2024:13441-1
RHSA-2016:2068
RHSA-2016:2069
RHSA-2016:2070
RHSA-2016:2072
RHSA-2016:2599
RHSA-2016:2807
RHSA-2016_2599
RHSA-2017:0455
RHSA-2017:0456
SUSE-SU-2016:2188-1
SUSE-SU-2016_2188-1
SUSE-SU-2017:1660-1
SUSE-SU-2023:0730-1
SUSE-SU-2023:0758-1
USN-3024-1
USN-3027-1

Affected Products

Alt Linux
Apache Commons Fileupload
Apache Tomcat
Centos
Red Hat
Red Os
Suse
Ubuntu