libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.
CPE | Name | Operator | Version |
---|---|---|---|
shellinabox | eq | 2.17 | |
shellinabox | eq | 2.14 | |
shellinabox | eq | 2.15-rc2 | |
shellinabox | eq | 2.16 | |
shellinabox | eq | 2.20 | |
shellinabox | eq | 2.18 | |
shellinabox | eq | 2.15 | |
shellinabox | eq | 2.19 | |
shellinabox | eq | 2.12 | |
shellinabox | eq | 2.11 |