Vulnerabilities > CVE-2018-1335 - Unspecified vulnerability in Apache Tika

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

high complexity

apache

exploit available

metasploit

NVD

Published: 2018-04-25

Updated: 2023-11-07

Summary

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Tika 0.1 Apache Tika 0.2 Apache Tika 0.3 Apache Tika 0.4 Apache Tika 0.5 Apache Tika 0.6 Apache Tika 0.7 Apache Tika 0.8 Apache Tika 0.9 Apache Tika 0.10 Apache Tika 1.0 Apache Tika 1.1 Apache Tika 1.2 Apache Tika 1.3 Apache Tika 1.4 Apache Tika 1.5 Apache Tika 1.6 Apache Tika 1.7 Apache Tika 1.8 Apache Tika 1.9 Apache Tika 1.10 Apache Tika 1.11 Apache Tika 1.12 Apache Tika 1.13 Apache Tika 1.14 Apache Tika 1.15 Apache Tika 1.16 Apache Tika 1.17	28

Exploit-Db

id	EDB-ID:47208
last seen	2019-08-05
modified	2019-08-05
published	2019-08-05
reporter	Exploit-DB
source	https://www.exploit-db.com/download/47208
title	Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)

file	exploits/windows/remote/46540.py
id	EDB-ID:46540
last seen	2019-03-13
modified	2019-03-13
platform	windows
port
published	2019-03-13
reporter	Exploit-DB
source	https://www.exploit-db.com/download/46540
title	Apache Tika-server < 1.18 - Command Injection
type	remote

Metasploit

description	This module exploits a command injection vulnerability in Apache Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic bytes checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15 - 1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only > 1.14 was exploitable due to jp2 support being added.
id	MSF:EXPLOIT/WINDOWS/HTTP/APACHE_TIKA_JP2_JSCRIPT
last seen	2020-06-13
modified	2019-07-30
published	2019-03-29
references	https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/ https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1335
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/apache_tika_jp2_jscript.rb
title	Apache Tika Header Command Injection

Packetstorm

data source	https://packetstormsecurity.com/files/download/152076/apachetika-exec.txt
id	PACKETSTORM:152076
last seen	2019-03-14
published	2019-03-13
reporter	David Yesland
source	https://packetstormsecurity.com/files/152076/Apache-Tika-Server-Command-Injection.html
title	Apache Tika Server Command Injection

data source	https://packetstormsecurity.com/files/download/153864/apache_tika_jp2_jscript.rb.txt
id	PACKETSTORM:153864
last seen	2019-08-02
published	2019-08-02
reporter	h00die
source	https://packetstormsecurity.com/files/153864/Apache-Tika-1.17-Header-Command-Injection.html
title	Apache Tika 1.17 Header Command Injection

Redhat

advisories

rhsa

id	RHSA-2019:3140

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Packetstorm

Redhat

References