Apache tika 1.15-1.17 header command injection

By
Prathap
Published on
16 Jun 2021
Vulnerability

Tika is an Apache platform for content type identification and extraction.A Apache Tika™ toolkit identifies as well as extracts metadata and texts from a wide range of file types (such as PPT, XLS, and PDF). From Apache Tika versions 1.7 to 1.17, Clients could send specially constructed headers to tika-server that could be used to insert commands into the server’s command line. This vulnerability only affects those who run tika-server on a server that untrusted clients can control. The vulnerability’s entry point is “headers.”

Mitigation / Precaution

If you are using Apache tika versions 1.15-1.17 update to Tika 1.18 or later.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Prathap
Prathap
Co-founder, Director
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.