Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAC1dCwVhrPRyFJMS5BbY02+495CUODrAzndqZkvKacJnXUSm+w@mail.gmail.com>
Date: Wed, 25 Apr 2018 13:06:53 -0400
From: Tim Allison <tallison@...che.org>
To: announce@...che.org, dev@...a.apache.org, user@...a.apache.org, 
	oss-security@...ts.openwall.com
Subject: [CVE-2018-1335] Command Injection Vulnerability in Apache Tika’s tika-server module

CVE-2018-1335 – Command Injection Vulnerability in Apache Tika’s tika-server
module


Severity: High



Vendor: The Apache Software Foundation



Versions Affected: <1.18



Description: Before Tika 1.18, clients could send carefully crafted

headers to tika-server that could be used to inject commands into the

command line of the server running tika-server.  This vulnerability

only affects those running tika-server on a server that is open to

 untrusted clients.



Mitigation: Ensure that untrusted users don't have access to

tika-server and/or upgrade to Apache Tika >=1.18.



Credit: Tim Allison, a member of the Apache Tika team, discovered this.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.