Apache tika 1.15-1.17 header command injection

By
Prathap
Published on
16 Jun 2021
Vulnerability

Tika is an Apache platform for content type identification and extraction.A Apache Tika™ toolkit identifies as well as extracts metadata and texts from a wide range of file types (such as PPT, XLS, and PDF). From Apache Tika versions 1.7 to 1.17, Clients could send specially constructed headers to tika-server that could be used to insert commands into the server’s command line. This vulnerability only affects those who run tika-server on a server that untrusted clients can control. The vulnerability’s entry point is “headers.”

Mitigation / Precaution

If you are using Apache tika versions 1.15-1.17 update to Tika 1.18 or later.


Written by
Prathap
Prathap
Co-founder, Director
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days