Vulnerability Details : CVE-2018-1335

Public exploit exists!
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
Published 2018-04-25 21:29:00
Updated 2019-10-03 00:03:26
Source Apache Software Foundation
View at NVD,   CVE.org

Products affected by CVE-2018-1335

Exploit prediction scoring system (EPSS) score for CVE-2018-1335

EPSS FAQ
93.64%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2018-1335

  • Apache Tika Header Command Injection
    Disclosure Date: 2018-04-25
    First seen: 2020-04-26
    exploit/windows/http/apache_tika_jp2_jscript
    This module exploits a command injection vulnerability in Apache Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic bytes checking. When OCR is specified in the request, parameters can be passed to change the parameters pa

CVSS scores for CVE-2018-1335

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.3
 HIGH AV:N/AC:M/Au:N/C:C/I:C/A:C
8.6
10.0
 NIST
8.1
 HIGH CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
2.2
5.9
 NIST

References for CVE-2018-1335

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close