CVE-2018-1335
Apache Tika 1.15 - 1.17 - Header Command Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
6Exploited in Wild
-Decision
Descriptions
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
De las versiones 1.7 a 1.17 de Apache Tika, los clientes podían enviar cabeceras cuidadosamente manipuladas a tika-server que podrían emplearse para inyectar comandos en la línea de comandos del servidor que ejecuta tika-server. Esta vulnerabilidad solo afecta a quienes ejecuten tika-server en un servidor abierto a clientes no fiables. La mitigación consiste en actualizar a Tika 1.18.
Apache Tika Server versions prior to 1.18 suffer from a command injection vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-12-07 CVE Reserved
- 2018-04-25 CVE Published
- 2019-03-20 First Exploit
- 2024-09-17 CVE Updated
- 2024-10-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (14)
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/47208 | 2019-08-05 | |
https://www.exploit-db.com/exploits/46540 | 2024-09-17 | |
https://github.com/SkyBlueEternal/CVE-2018-1335-EXP-GUI | 2019-03-20 | |
https://github.com/DigitalNinja00/CVE-2018-1335 | 2024-06-06 | |
https://github.com/siramk/CVE-2018-1335 | 2021-03-26 | |
https://github.com/N0b1e6/CVE-2018-1335-Python3 | 2020-02-11 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:3140 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2018-1335 | 2019-10-17 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1572416 | 2019-10-17 |