'=?UTF-8?Q?=5BCVE=2D2018=2D1335=5D_Command_Injection_Vulnerability_in_A?= =?UTF-8?Q?pache_Tika=E2=80='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-announce
Subject:    =?UTF-8?Q?=5BCVE=2D2018=2D1335=5D_Command_Injection_Vulnerability_in_A?= =?UTF-8?Q?pache_Tika=E2=80=
From:       Tim Allison <tallison () apache ! org>
Date:       2018-04-25 17:06:53
Message-ID: CAC1dCwVhrPRyFJMS5BbY02+495CUODrAzndqZkvKacJnXUSm+w () mail ! gmail ! com
[Download RAW message or body]

CVE-2018-1335 – Command Injection Vulnerability in Apache Tika's tika-server
module


Severity: High



Vendor: The Apache Software Foundation



Versions Affected: <1.18



Description: Before Tika 1.18, clients could send carefully crafted

headers to tika-server that could be used to inject commands into the

command line of the server running tika-server.  This vulnerability

only affects those running tika-server on a server that is open to

 untrusted clients.



Mitigation: Ensure that untrusted users don't have access to

tika-server and/or upgrade to Apache Tika >=1.18.



Credit: Tim Allison, a member of the Apache Tika team, discovered this.

[Attachment #3 (text/html)]

<div dir="ltr">


















<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">CVE-2018-1335 – Command \
Injection Vulnerability in Apache Tika's  <span style="font-size:11pt">tika-server \
module</span></p><p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Severity: \
High<span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span>  </span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Vendor: The Apache Software \
Foundation<span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span>  </span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Versions Affected: \
&lt;1.18<span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span>  </span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Description: Before Tika \
1.18, clients could send carefully crafted <span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">headers to tika-server that \
could be used to inject commands into the <span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">command line of the server \
running tika-server.<span>   </span>This vulnerability <span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">only affects those running \
tika-server on a server that is open to</p><p class="gmail-MsoPlainText" \
style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:11pt">  untrusted clients.</span></p><p class="gmail-MsoPlainText" \
style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span>  </span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Mitigation: Ensure that \
untrusted users don&#39;t have access to <span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">tika-server and/or upgrade to \
Apache Tika &gt;=1.18.<span></span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span>  </span></p>

<p class="gmail-MsoPlainText" style="margin:0in 0in \
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Credit: Tim Allison, a member \
of the Apache Tika team, discovered this.<span></span></p>





<br></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic