oss-sec mailing list archives
[CVE-2018-1335] Command Injection Vulnerability in Apache Tika’s tika-server module
From: Tim Allison <tallison () apache org>
Date: Wed, 25 Apr 2018 13:06:53 -0400
CVE-2018-1335 – Command Injection Vulnerability in Apache Tika’s tika-server module Severity: High Vendor: The Apache Software Foundation Versions Affected: <1.18 Description: Before Tika 1.18, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. Mitigation: Ensure that untrusted users don't have access to tika-server and/or upgrade to Apache Tika >=1.18. Credit: Tim Allison, a member of the Apache Tika team, discovered this.
Current thread:
- [CVE-2018-1335] Command Injection Vulnerability in Apache Tika’s tika-server module Tim Allison (Apr 25)