Apache tika 1.15-1.17 header command injection

Published on
16 Jun 2021

Tika is an Apache platform for content type identification and extraction.A Apache Tika™ toolkit identifies as well as extracts metadata and texts from a wide range of file types (such as PPT, XLS, and PDF). From Apache Tika versions 1.7 to 1.17, Clients could send specially constructed headers to tika-server that could be used to insert commands into the server’s command line. This vulnerability only affects those who run tika-server on a server that untrusted clients can control. The vulnerability’s entry point is “headers.”

Mitigation / Precaution

If you are using Apache tika versions 1.15-1.17 update to Tika 1.18 or later.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment