CVE-2018-16789 - Vulncode-DB

CVE-2018-16789 (NVD)

2019-03-21

libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.

Products	Shellinabox
Type	Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835)
First patch	https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361
Relevant file/s	• ./debian/changelog (modified, +6) • ./libhttp/url.c (modified, +15)
Links	• https://code.google.com/archive/p/shellinabox/issues • http://packetstormsecurity.com/files/149978/Shell-In-A-Box-2.2.0-Denial-Of-Service.html • http://seclists.org/fulldisclosure/2018/Oct/50

shellinabox - Tree: 4f0ecc31ac

(? files)

Filter Settings

All Files

Relevant Files

Vulnerable Files

Patched Files

Files

VS-Dark VS-Bright Monokai Darcula

Navigation

Patch data:

(on by default)

Patched area: