Description
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1349468
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121
http://svn.apache.org/viewvc?view=revision&revision=1743480
http://svn.apache.org/viewvc?view=revision&revision=1743738
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://tomcat.apache.org/security-7.html
http://jvn.jp/en/jp/JVN89379547/index.html
http://svn.apache.org/viewvc?view=revision&revision=1743722
http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E
http://svn.apache.org/viewvc?view=revision&revision=1743742
http://www.debian.org/security/2016/dsa-3614
http://www.ubuntu.com/usn/USN-3027-1
http://www.debian.org/security/2016/dsa-3611
http://www.debian.org/security/2016/dsa-3609
http://www.ubuntu.com/usn/USN-3024-1
http://www.securityfocus.com/bid/91453
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
https://security.gentoo.org/glsa/201705-09
http://www.securitytracker.com/id/1037029
http://www.securitytracker.com/id/1036900
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.securitytracker.com/id/1036427
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securitytracker.com/id/1039606
https://access.redhat.com/errata/RHSA-2017:0456
https://access.redhat.com/errata/RHSA-2017:0455
http://rhn.redhat.com/errata/RHSA-2017-0457.html
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
http://rhn.redhat.com/errata/RHSA-2016-2072.html
http://rhn.redhat.com/errata/RHSA-2016-2071.html
http://rhn.redhat.com/errata/RHSA-2016-2070.html
http://rhn.redhat.com/errata/RHSA-2016-2069.html
http://rhn.redhat.com/errata/RHSA-2016-2068.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://security.netapp.com/advisory/ntap-20190212-0001/
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://security.gentoo.org/glsa/202107-39
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2023-20866 Vulnerability in maven package org.springframework.session:spring-session-core
CVE-2022-45685 Vulnerability in maven package org.codehaus.jettison:jettison
CVE-2021-21162 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-44487 Vulnerability in maven package org.eclipse.jetty.http2:http2-common
CVE-2020-28865 Vulnerability in maven package com.github.kfcfans:powerjob