CVE-2016-3092

HIGH

Apache Tomcat < 1.3.1 - Improper Input Validation

Title source: rule

Description

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Exploits (2)

nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2016-3092-commons-fileupload-vulnerable
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2016-3092-commons-fileupload-vulnerable

References (49)

... and 29 more

Scores

CVSS v3 7.5
EPSS 0.3387
EPSS Percentile 97.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20
Status published
Products (40)
apache/commons_fileupload < 1.3.1
apache/tomcat 9.0.0 milestone1 (4 CPE variants)
apache/tomcat 8.0.0 rc1 (4 CPE variants)
apache/tomcat 8.0.1
apache/tomcat 8.0.3
apache/tomcat 8.0.5
apache/tomcat 8.0.8
apache/tomcat 8.0.11
apache/tomcat 8.0.12
apache/tomcat 8.0.14
... and 30 more
Published Jul 04, 2016
Tracked Since Feb 18, 2026