Vulnerabilities > CVE-2018-16789 - Infinite Loop vulnerability in Shellinabox Project Shellinabox

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

shellinabox-project

CWE-835

NVD

Published: 2019-03-21

Updated: 2020-08-24

Summary

libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.

Vulnerable Configurations

Part	Description	Count
Application	Shellinabox_Project Shellinabox Project Shellinabox 2.0 Shellinabox Project Shellinabox 2.0-1 Shellinabox Project Shellinabox 2.1 Shellinabox Project Shellinabox 2.1-1 Shellinabox Project Shellinabox 2.2 Shellinabox Project Shellinabox 2.2-1 Shellinabox Project Shellinabox 2.3 Shellinabox Project Shellinabox 2.3-1 Shellinabox Project Shellinabox 2.4-1 Shellinabox Project Shellinabox 2.5 Shellinabox Project Shellinabox 2.5-1 Shellinabox Project Shellinabox 2.6 Shellinabox Project Shellinabox 2.6-1 Shellinabox Project Shellinabox 2.7 Shellinabox Project Shellinabox 2.7-1 Shellinabox Project Shellinabox 2.8 Shellinabox Project Shellinabox 2.8-1 Shellinabox Project Shellinabox 2.9 Shellinabox Project Shellinabox 2.9-1 Shellinabox Project Shellinabox 2.10 Shellinabox Project Shellinabox 2.10-1 Shellinabox Project Shellinabox 2.11 Shellinabox Project Shellinabox 2.12 Shellinabox Project Shellinabox 2.13 Shellinabox Project Shellinabox 2.14 Shellinabox Project Shellinabox 2.15 Shellinabox Project Shellinabox 2.16 Shellinabox Project Shellinabox 2.17 Shellinabox Project Shellinabox 2.18 Shellinabox Project Shellinabox 2.19 Shellinabox Project Shellinabox 2.20	32

Common Weakness Enumeration (CWE)

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Packetstorm

data source	https://packetstormsecurity.com/files/download/149978/shellinabox220-dos.txt
id	PACKETSTORM:149978
last seen	2018-10-27
published	2018-10-27
reporter	Imre Rad
source	https://packetstormsecurity.com/files/149978/Shell-In-A-Box-2.2.0-Denial-Of-Service.html
title	Shell In A Box 2.2.0 Denial Of Service

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Packetstorm

References