9.3
CVSSv2

CVE-2018-1335

Published: 25/04/2018 Updated: 18/03/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 938
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTika0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.10, 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12, 1.13, 1.14, 1.15, 1.16, 1.17

Vendor Advisories

From Apache Tika versions 17 to 117, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server This vulnerability only affects those running tika-server on a server that is open to untrusted clients The mitigation is to upgrade to Tika 118 ...

Exploits

###################################################################################################### #Description: This is a PoC for remote command execution in Apache Tika-server # #Versions Affected: Tika-server versions < 118 # #Researcher: David Yesland Twitter: ...

Mailing Lists

Apache Tika Server versions prior to 118 suffer from a command injection vulnerability ...

Github Repositories

Zhengjim - 漏洞复现 搭漏洞环境是一个繁琐的事情,这里记录下自己学习搭各种环境的记录。部分利用Vulhub一个面向大众的开源漏洞靶场,来搭建漏洞环境,比较方便。(主要懒!) 漏洞 S2-057命令执行漏洞 ghostscript命令执行漏洞 weblogic反序列化漏洞(CVE-2018-2628) Elasticsearch-Kibana本地包

Rhino CVE Proof-of-Concept Exploits A collection of proof-of-concept exploit scripts written by the team at Rhino Security Labs for various CVEs CVE-2018-1000110: User and Node Enumeration Through Jenkins Git Plugin <v37 CVE-2018-20621: MEmu Android Emulator Local Privilege Escalation CVE-2018-5757: Authenticated RCE in AudioCodes 450HD Phone CVE-2018-5758: XXE in Jiv

Rhino CVE Proof-of-Concept Exploits A collection of proof-of-concept exploit scripts written by the team at Rhino Security Labs for various CVEs CVE-2018-1000110: User and Node Enumeration Through Jenkins Git Plugin <v37 CVE-2018-20621: MEmu Android Emulator Local Privilege Escalation CVE-2018-5757: Authenticated RCE in AudioCodes 450HD Phone CVE-2018-5758: XXE in Jiv

Rhino CVE Proof-of-Concept Exploits A collection of proof-of-concept exploit scripts written by the team at Rhino Security Labs for various CVEs CVE-2018-1000110: User and Node Enumeration Through Jenkins Git Plugin <v37 CVE-2018-20621: MEmu Android Emulator Local Privilege Escalation CVE-2018-5757: Authenticated RCE in AudioCodes 450HD Phone CVE-2018-5758: XXE in Jiv

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile BitBake Bro C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :