github - ghsa-fvm3-cfvj-gxqq

ghsa-fvm3-cfvj-gxqq

Vulnerability from github

Published

2018-12-21 17:47

Modified

2021-07-19 15:57

Severity

7.5 (High) - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

High severity vulnerability that affects commons-fileupload:commons-fileupload

Details

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "commons-fileupload:commons-fileupload"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-3092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:35:21Z",
    "nvd_published_at": "2016-07-04T22:59:00Z",
    "severity": "HIGH"
  },
  "details": "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.",
  "id": "GHSA-fvm3-cfvj-gxqq",
  "modified": "2021-07-19T15:57:47Z",
  "published": "2018-12-21T17:47:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3092"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20171111060434/http://www.securitytracker.com/id/1039606"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20171103224941/http://www.securitytracker.com/id/1036900"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20170317103106/http://www.securitytracker.com/id/1037029"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20160924080828/http://www.securityfocus.com/bid/91453"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20160726114129/http://www.securitytracker.com/id/1036427"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190212-0001"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-39"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201705-09"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759"
    },
    {
      "type": "WEB",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840"
    },
    {
      "type": "WEB",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fvm3-cfvj-gxqq"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:0456"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:0455"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN89379547/index.html"
    },
    {
      "type": "WEB",
      "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2068.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2069.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2070.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2071.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2072.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html"
    },
    {
      "type": "WEB",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743480"
    },
    {
      "type": "WEB",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743722"
    },
    {
      "type": "WEB",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743738"
    },
    {
      "type": "WEB",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743742"
    },
    {
      "type": "WEB",
      "url": "http://tomcat.apache.org/security-7.html"
    },
    {
      "type": "WEB",
      "url": "http://tomcat.apache.org/security-8.html"
    },
    {
      "type": "WEB",
      "url": "http://tomcat.apache.org/security-9.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3609"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3611"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3614"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3024-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3027-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "High severity vulnerability that affects commons-fileupload:commons-fileupload"
}

cve-2016-3092

Vulnerability from cvelistv5

Published

2016-07-04 22:00

Modified

2024-08-05 23:40

Severity

Summary

References

URL	Tags
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121	third-party-advisory, x_refsource_JVNDB
https://security.netapp.com/advisory/ntap-20190212-0001/	x_refsource_CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759	x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1743480	x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	x_refsource_CONFIRM
https://security.gentoo.org/glsa/201705-09	vendor-advisory, x_refsource_GENTOO
http://svn.apache.org/viewvc?view=revision&revision=1743738	x_refsource_CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840	x_refsource_CONFIRM
http://tomcat.apache.org/security-9.html	x_refsource_CONFIRM
http://www.ubuntu.com/usn/USN-3024-1	vendor-advisory, x_refsource_UBUNTU
http://rhn.redhat.com/errata/RHSA-2016-2069.html	vendor-advisory, x_refsource_REDHAT
http://www.securitytracker.com/id/1037029	vdb-entry, x_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2016-2068.html	vendor-advisory, x_refsource_REDHAT
http://tomcat.apache.org/security-7.html	x_refsource_CONFIRM
http://www.securitytracker.com/id/1036900	vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/91453	vdb-entry, x_refsource_BID
http://tomcat.apache.org/security-8.html	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2072.html	vendor-advisory, x_refsource_REDHAT
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html	x_refsource_CONFIRM
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html	x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1743722	x_refsource_CONFIRM
http://www.debian.org/security/2016/dsa-3611	vendor-advisory, x_refsource_DEBIAN
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2807.html	vendor-advisory, x_refsource_REDHAT
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html	vendor-advisory, x_refsource_SUSE
http://jvn.jp/en/jp/JVN89379547/index.html	third-party-advisory, x_refsource_JVN
http://www.securitytracker.com/id/1036427	vdb-entry, x_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2016-2070.html	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2017-0457.html	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2016-2808.html	vendor-advisory, x_refsource_REDHAT
http://www.securitytracker.com/id/1039606	vdb-entry, x_refsource_SECTRACK
http://svn.apache.org/viewvc?view=revision&revision=1743742	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2599.html	vendor-advisory, x_refsource_REDHAT
http://www.debian.org/security/2016/dsa-3609	vendor-advisory, x_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:0455	vendor-advisory, x_refsource_REDHAT
http://www.debian.org/security/2016/dsa-3614	vendor-advisory, x_refsource_DEBIAN
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	x_refsource_CONFIRM
http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E	mailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2017:0456	vendor-advisory, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1349468	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2071.html	vendor-advisory, x_refsource_REDHAT
http://www.ubuntu.com/usn/USN-3027-1	vendor-advisory, x_refsource_UBUNTU
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	x_refsource_MISC
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
https://security.gentoo.org/glsa/202107-39	vendor-advisory, x_refsource_GENTOO

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website