CVE Vulnerabilities

CVE-2018-16789

Loop with Unreachable Exit Condition ('Infinite Loop')

Published: Mar 21, 2019 | Modified: Aug 24, 2020
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
7.8 HIGH
AV:N/AC:L/Au:N/C:N/I:N/A:C
RedHat/V2
RedHat/V3
Ubuntu

libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.

Weakness

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Software

Name Vendor Start Version End Version
Shellinabox Shellinabox_project * 2.20
Shellinabox Ubuntu cosmic *
Shellinabox Ubuntu trusty *
Shellinabox Ubuntu upstream *
Shellinabox Ubuntu xenial *

References