CVE-2018-1335: Command Injection
First published: Wed Apr 25 2018(Updated: )
Apache Tika before version 1.18 has a command injection vulnerability in tika-server. A remote attacker could exploit this to execute arbitrary commands via crafted headers. External References: <a href="https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E">https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E</a>
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tika | <1.18 | |
| redhat/tika | <1.18 | 1.18 |
| maven/org.apache.tika:tika-core | >=1.7<1.18 | 1.18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2018-1335 https://nvd.nist.gov/vuln/detail/CVE-2018-1335 https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi?id=1572416
- https://access.redhat.com/errata/RHSA-2019:3140
- https://access.redhat.com/security/cve/cve-2018-1335
- http://packetstormsecurity.com/files/153864/Apache-Tika-1.17-Header-Command-Injection.html
- http://www.securityfocus.com/bid/104001
- https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E
- https://www.exploit-db.com/exploits/46540/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1572418
- https://access.redhat.com/security/updates/classification/
- https://nvd.nist.gov/vuln/detail/CVE-2018-1335
- https://github.com/advisories/GHSA-9r24-gp44-h3pm (Advisory)
- https://www.exploit-db.com/exploits/46540
- https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca%40%3Cdev.tika.apache.org%3E
Frequently Asked Questions
What is CVE-2018-1335?
CVE-2018-1335 is a vulnerability in Apache Tika versions 1.7 to 1.17 that allows clients to inject commands into the command line of the server running tika-server.
What is the severity of CVE-2018-1335?
CVE-2018-1335 has a severity level of critical with a CVSS score of 8.8.
How does CVE-2018-1335 affect Apache Tika?
CVE-2018-1335 affects Apache Tika versions 1.7 to 1.17.
How can I fix CVE-2018-1335?
To fix CVE-2018-1335, upgrade to Apache Tika version 1.18 or later.
Is CVE-2018-1335 a remote code execution vulnerability?
Yes, CVE-2018-1335 allows remote attackers to execute arbitrary commands on the server running tika-server.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1335
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-9r24-gp44-h3pm
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- agent/references
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache tika
- package-manager/redhat
- package-manager/maven