[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?Q?=5BCVE=2D2018=2D1335=5D_Command_Injection_Vulnerability_in_A?= =?UTF-8?Q?pa
From:       Tim Allison <tallison () apache ! org>
Date:       2018-04-25 17:06:53
Message-ID: CAC1dCwVhrPRyFJMS5BbY02+495CUODrAzndqZkvKacJnXUSm+w () mail ! gmail ! com
[Download RAW message or body]


CVE-2018-1335 – Command Injection Vulnerability in Apache Tika's tika-server
module


Severity: High



Vendor: The Apache Software Foundation



Versions Affected: <1.18



Description: Before Tika 1.18, clients could send carefully crafted

headers to tika-server that could be used to inject commands into the

command line of the server running tika-server.  This vulnerability

only affects those running tika-server on a server that is open to

 untrusted clients.



Mitigation: Ensure that untrusted users don't have access to

tika-server and/or upgrade to Apache Tika >=1.18.



Credit: Tim Allison, a member of the Apache Tika team, discovered this.


[prev in list] [next in list] [prev in thread] [next in thread]