Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-1335

Опубликовано: 25 апр. 2018
Источник: redhat
CVSS3: 8.8
EPSS Критический

Описание

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Отчет

This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6tika-coreNot affected
Red Hat Fuse 7camel-tikaNot affected
Red Hat JBoss BRMS 5tika-coreNot affected
Red Hat JBoss BRMS 6tika-coreNot affected
Red Hat JBoss Fuse Integration Service 2tika-coreNot affected
Red Hat JBoss Fuse Service Works 6tika-coreNot affected
Red Hat Satellite 5tikaWill not fix
Red Hat Software Collectionsrh-eclipse46-tikaNot affected
Red Hat JBoss Data Virtualization 6.4.8tika-coreFixedRHSA-2019:314017.10.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-77
https://bugzilla.redhat.com/show_bug.cgi?id=1572416tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers

EPSS

Процентиль: 100%
0.93644
Критический

8.8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-1335

CVSS3: 8.1
ubuntu
почти 8 лет назад

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

nvd логотип

CVE-2018-1335

CVSS3: 8.1
nvd
почти 8 лет назад

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

debian логотип

CVE-2018-1335

CVSS3: 8.1
debian
почти 8 лет назад

From Apache Tika versions 1.7 to 1.17, clients could send carefully cr ...

github логотип

GHSA-9r24-gp44-h3pm

CVSS3: 8.1
github
больше 7 лет назад

Command injection in org.apache.tika:tika-core

EPSS

Процентиль: 100%
0.93644
Критический

8.8 High

CVSS3