Date: Wed, 25 Apr 2018 13:06:53 -0400 From: Tim Allison <tallison@...che.org> To: announce@...che.org, dev@...a.apache.org, user@...a.apache.org, oss-security@...ts.openwall.com Subject: [CVE-2018-1335] Command Injection Vulnerability in Apache Tika’s tika-server module CVE-2018-1335 – Command Injection Vulnerability in Apache Tika’s tika-server module Severity: High Vendor: The Apache Software Foundation Versions Affected: <1.18 Description: Before Tika 1.18, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. Mitigation: Ensure that untrusted users don't have access to tika-server and/or upgrade to Apache Tika >=1.18. Credit: Tim Allison, a member of the Apache Tika team, discovered this.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.