libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Shellinabox | Shellinabox_project | * | 2.20 (including) |
| Shellinabox | Ubuntu | bionic | * |
| Shellinabox | Ubuntu | cosmic | * |
| Shellinabox | Ubuntu | trusty | * |
| Shellinabox | Ubuntu | upstream | * |
| Shellinabox | Ubuntu | xenial | * |