CVE-2016-3092 (High) detected in tomcat-embed-core-8.0.28.jar
mend-bolt-for-github opened this issue · comments
CVE-2016-3092 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.0.28.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.28/tomcat-embed-core-8.0.28.jar
Dependency Hierarchy:
- core-3.7.11.jar (Root Library)
- ❌ tomcat-embed-core-8.0.28.jar (Vulnerable Library)
Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b
Found in base branch: master
Vulnerability Details
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.36
Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.7.12
Step up your Open Source Security Game with Mend here