You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by Tim Allison <ta...@apache.org> on 2018/04/25 17:06:53 UTC
[CVE-2018-1335] Command Injection Vulnerability in Apache Tika’s tika-server module
CVE-2018-1335 – Command Injection Vulnerability in Apache Tika’s tika-server
module
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: <1.18
Description: Before Tika 1.18, clients could send carefully crafted
headers to tika-server that could be used to inject commands into the
command line of the server running tika-server. This vulnerability
only affects those running tika-server on a server that is open to
untrusted clients.
Mitigation: Ensure that untrusted users don't have access to
tika-server and/or upgrade to Apache Tika >=1.18.
Credit: Tim Allison, a member of the Apache Tika team, discovered this.