Improper input validation in Apache Commons_fileupload
CVE-2016-3092
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial o…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.402 (97.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Apache Commons_fileupload
- Apache Tomcat — versions 9.0.0, 8.0.0, 8.0.1
- Hp Icewall_identity_manager — versions 5.0
- Hp Icewall_sso_agent_option — versions 10.0
- Canonical Ubuntu_linux — versions 12.04, 14.04, 15.10
- Debian Debian_linux — versions 8.0
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- JVNDB-2016-000121 (x_refsource_JVNDB, VDB Entry, third-party-advisory, Vendor Advisory)
- secalert@redhat.com (x_refsource_CONFIRM)
- secalert@redhat.com (x_refsource_CONFIRM)
- secalert@redhat.com (x_refsource_CONFIRM)
- secalert@redhat.com (x_refsource_CONFIRM)
- GLSA-201705-09 (vendor-advisory, x_refsource_GENTOO)
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
- secalert@redhat.com (x_refsource_CONFIRM)
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
- USN-3024-1 (x_refsource_UBUNTU, vendor-advisory, Third Party Advisory)
Frequently asked questions
- What is CVE-2016-3092?
- CVE-2016-3092 is a high-severity vulnerability in Apache Commons_fileupload, classified under Improper Input Validation. CVSS score: 7.5/10. Published 2016-07-04.
- How severe is CVE-2016-3092?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2016-3092 known to be exploited?
- 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.