CVE-2018-16789

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-16789
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16789.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-16789
Downstream
Published
2019-03-21T16:00:22.547Z
Modified
2026-04-11T11:40:01.609125Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.

References

Affected packages

Git / github.com/shellinabox/shellinabox

Affected ranges

Type
GIT
Repo
https://github.com/shellinabox/shellinabox
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5c7fb5cde2d2a74775af040549bb5cb11aae6790
Fixed
4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.20"
        }
    ]
}

Affected versions

v2.*
v2.11
v2.12
v2.13
v2.14
v2.15
v2.15-rc2
v2.16
v2.17
v2.18
v2.19
v2.20

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16789.json"
vanir_signatures_modified 
"2026-04-11T11:40:01Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "108587633537507210242609878158511307392",
                "108587633537507210242609878158511307392",
                "55349953397407534518078989044189755933",
                "200263102641848300981171117296208127289"
            ]
        },
        "source": "https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361",
        "id": "CVE-2018-16789-95780f45",
        "signature_type": "Line",
        "target": {
            "file": "libhttp/url.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 1668.0,
            "function_hash": "312959051071918327107693244833019918451"
        },
        "source": "https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361",
        "id": "CVE-2018-16789-faaf7bc7",
        "signature_type": "Function",
        "target": {
            "function": "urlParsePostBody",
            "file": "libhttp/url.c"
        }
    }
]