[Bug 1572416] New: CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
8:16 p.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Bug ID: 1572416
Summary: CVE-2018-1335 tika: Command injection in tika-server
can allow remote attackers to execute arbitrary
commands via crafted headers
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: abergmann(a)suse.com, aileenc(a)redhat.com,
alazarot(a)redhat.com, anstephe(a)redhat.com,
bkearney(a)redhat.com, chazlett(a)redhat.com,
drieden(a)redhat.com, etirelli(a)redhat.com,
ggainey(a)redhat.com, gvarsami(a)redhat.com,
hghasemb(a)redhat.com, hhorak(a)redhat.com,
ibek(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jolee(a)redhat.com,
jorton(a)redhat.com, jschatte(a)redhat.com,
jstastny(a)redhat.com, kconner(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lef(a)fedoraproject.org, lpetrovi(a)redhat.com,
mat.booth(a)redhat.com, meissner(a)suse.de,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pavelp(a)redhat.com, pszubiak(a)redhat.com,
puntogil(a)libero.it, rhel8-maint(a)redhat.com,
rrajasek(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
sdaley(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tlestach(a)redhat.com,
vhalbert(a)redhat.com
Apache Tika before version 1.18 has a command injection vulnerability in
tika-server. A remote attacker could exploit this to execute arbitrary commands
via crafted headers.
External References:
https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b268...
--
You are receiving this mail because:
You are on the CC list for the bug.
8:17 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Sam Fowler <sfowler(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1572417, 1572418
--- Comment #1 from Sam Fowler <sfowler(a)redhat.com> ---
Created tika tracking bugs for this issue:
Affects: fedora-all [bug 1572418]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1572418
[Bug 1572418] CVE-2018-1335 tika: Command injection in tika-server can
allow remote attackers to execute arbitrary commands via crafted headers
[fedora-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
8:23 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Sam Fowler <sfowler(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1572420
--
You are receiving this mail because:
You are on the CC list for the bug.
9:38 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Hooman Broujerdi <hghasemb(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=new,fis |3/rh-eclipse46-tika=new,fis
|-2/tika-core=new,fuse-7/cam |-2/tika-core=notaffected,fu
|el-tika=new,fsw-6/tika-core |se-7/camel-tika=notaffected
|=new,brms-5/tika-core=new,b |,fsw-6/tika-core=new,brms-5
|rms-6/tika-core=new,bpms-6/ |/tika-core=new,brms-6/tika-
|tika-core=new,jdv-6/tika-co |core=new,bpms-6/tika-core=n
|re=new,rhn_satellite_5/tika |ew,jdv-6/tika-core=new,rhn_
|=new |satellite_5/tika=new
--
You are receiving this mail because:
You are on the CC list for the bug.
4:26 a.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Bug 1572416 depends on bug 1572418, which changed state.
Bug 1572418 Summary: CVE-2018-1335 tika: Command injection in tika-server can allow remote
attackers to execute arbitrary commands via crafted headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1572418
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |NOTABUG
--
You are receiving this mail because:
You are on the CC list for the bug.
3:10 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=new,fis |3/rh-eclipse46-tika=new,fis
|-2/tika-core=notaffected,fu |-2/tika-core=notaffected,fu
|se-7/camel-tika=notaffected |se-7/camel-tika=notaffected
|,fsw-6/tika-core=new,brms-5 |,fsw-6/tika-core=new,brms-5
|/tika-core=new,brms-6/tika- |/tika-core=new,brms-6/tika-
|core=new,bpms-6/tika-core=n |core=new,bpms-6/tika-core=n
|ew,jdv-6/tika-core=new,rhn_ |ew,jdv-6/tika-core=new,rhn_
|satellite_5/tika=new |satellite_5/tika=wontfix/im
| |pact=low
--
You are receiving this mail because:
You are on the CC list for the bug.
3:11 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
--- Comment #4 from Kurt Seifried <kseifried(a)redhat.com> ---
Statement:
This issue affects the versions of tika which is embedded in the nutch package
as shipped with Red Hat Satellite 5. The tika server is not exposed, as such
exploitation is difficult, Red Hat Product Security has rated this issue as
having a security impact of Low. A future update may address this issue. For
additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/.
--
You are receiving this mail because:
You are on the CC list for the bug.
8:22 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Doran Moppert <dmoppert(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=new,fis |3/rh-eclipse46-tika=notaffe
|-2/tika-core=notaffected,fu |cted,fis-2/tika-core=notaff
|se-7/camel-tika=notaffected |ected,fuse-7/camel-tika=not
|,fsw-6/tika-core=new,brms-5 |affected,fsw-6/tika-core=ne
|/tika-core=new,brms-6/tika- |w,brms-5/tika-core=new,brms
|core=new,bpms-6/tika-core=n |-6/tika-core=new,bpms-6/tik
|ew,jdv-6/tika-core=new,rhn_ |a-core=new,jdv-6/tika-core=
|satellite_5/tika=wontfix/im |new,rhn_satellite_5/tika=wo
|pact=low |ntfix/impact=low
--
You are receiving this mail because:
You are on the CC list for the bug.
10:53 a.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
--- Comment #6 from Andrej Nemec <anemec(a)redhat.com> ---
Statement:
This issue affects the versions of tika which is embedded in the nutch package
as shipped with Red Hat Satellite 5. The tika server is not exposed, as such
exploitation is difficult, Red Hat Product Security has rated this issue as
having security impact of Low. A future update may address this issue. For
additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/.
--
You are receiving this mail because:
You are on the CC list for the bug.
2:27 a.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Kunjan Rathod <krathod(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pavelp(a)redhat.com
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=notaffe |3/rh-eclipse46-tika=notaffe
|cted,fis-2/tika-core=notaff |cted,fis-2/tika-core=notaff
|ected,fuse-7/camel-tika=not |ected,fuse-7/camel-tika=not
|affected,fsw-6/tika-core=ne |affected,fsw-6/tika-core=ne
|w,brms-5/tika-core=new,brms |w,brms-5/tika-core=affected
|-6/tika-core=new,bpms-6/tik |,brms-6/tika-core=new,bpms-
|a-core=new,jdv-6/tika-core= |6/tika-core=new,jdv-6/tika-
|new,rhn_satellite_5/tika=wo |core=new,rhn_satellite_5/ti
|ntfix/impact=low |ka=wontfix/impact=low
--
You are receiving this mail because:
You are on the CC list for the bug.
1:15 a.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Kunjan Rathod <krathod(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |krathod(a)redhat.com
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=notaffe |3/rh-eclipse46-tika=notaffe
|cted,fis-2/tika-core=notaff |cted,fis-2/tika-core=notaff
|ected,fuse-7/camel-tika=not |ected,fuse-7/camel-tika=not
|affected,fsw-6/tika-core=ne |affected,fsw-6/tika-core=ne
|w,brms-5/tika-core=affected |w,brms-5/tika-core=affected
|,brms-6/tika-core=new,bpms- |,brms-6/tika-core=affected,
|6/tika-core=new,jdv-6/tika- |bpms-6/tika-core=affected,j
|core=new,rhn_satellite_5/ti |dv-6/tika-core=new,rhn_sate
|ka=wontfix/impact=low |llite_5/tika=wontfix/impact
| |=low
--
You are receiving this mail because:
You are on the CC list for the bug.
11:48 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Kunjan Rathod <krathod(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=notaffe |3/rh-eclipse46-tika=notaffe
|cted,fis-2/tika-core=notaff |cted,fis-2/tika-core=notaff
|ected,fuse-7/camel-tika=not |ected,fuse-7/camel-tika=not
|affected,fsw-6/tika-core=ne |affected,fsw-6/tika-core=ne
|w,brms-5/tika-core=affected |w,brms-5/tika-core=wontfix,
|,brms-6/tika-core=affected, |brms-6/tika-core=affected,b
|bpms-6/tika-core=affected,j |pms-6/tika-core=affected,jd
|dv-6/tika-core=new,rhn_sate |v-6/tika-core=new,rhn_satel
|llite_5/tika=wontfix/impact |lite_5/tika=wontfix/impact=
|=low |low
--
You are receiving this mail because:
You are on the CC list for the bug.
3:20 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Chess Hazlett <chazlett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=notaffe |3/rh-eclipse46-tika=notaffe
|cted,fis-2/tika-core=notaff |cted,fis-2/tika-core=notaff
|ected,fuse-7/camel-tika=not |ected,fuse-7/camel-tika=not
|affected,fsw-6/tika-core=ne |affected,fsw-6/tika-core=no
|w,brms-5/tika-core=wontfix, |taffected,brms-5/tika-core=
|brms-6/tika-core=affected,b |wontfix,brms-6/tika-core=af
|pms-6/tika-core=affected,jd |fected,bpms-6/tika-core=aff
|v-6/tika-core=new,rhn_satel |ected,jdv-6/tika-core=affec
|lite_5/tika=wontfix/impact= |ted,rhn_satellite_5/tika=wo
|low |ntfix/impact=low
--
You are receiving this mail because:
You are on the CC list for the bug.
3:23 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Chess Hazlett <chazlett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Fixed In Version|tika 1.8 |tika 1.18
--- Comment #8 from Chess Hazlett <chazlett(a)redhat.com> ---
corrected fixedin to 1.18
--
You are receiving this mail because:
You are on the CC list for the bug.
3:41 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Chess Hazlett <chazlett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1614537
--
You are receiving this mail because:
You are on the CC list for the bug.
5:46 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Kunjan Rathod <krathod(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=notaffe |3/rh-eclipse46-tika=notaffe
|cted,fis-2/tika-core=notaff |cted,fis-2/tika-core=notaff
|ected,fuse-7/camel-tika=not |ected,fuse-7/camel-tika=not
|affected,fsw-6/tika-core=no |affected,fsw-6/tika-core=no
|taffected,brms-5/tika-core= |taffected,brms-5/tika-core=
|wontfix,brms-6/tika-core=af |wontfix,brms-6/tika-core=wo
|fected,bpms-6/tika-core=aff |ntfix,bpms-6/tika-core=affe
|ected,jdv-6/tika-core=affec |cted,jdv-6/tika-core=affect
|ted,rhn_satellite_5/tika=wo |ed,rhn_satellite_5/tika=won
|ntfix/impact=low |tfix/impact=low
--
You are receiving this mail because:
You are on the CC list for the bug.
5:51 p.m.
New subject: [Bug 1572416] CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
https://bugzilla.redhat.com/show_bug.cgi?id=1572416
Kunjan Rathod <krathod(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80425,reported=20180427,sou |80425,reported=20180427,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-7 |N/S:U/C:H/I:H/A:H,cwe=CWE-7
|7,rhel-8/tika=affected,fedo |7,rhel-8/tika=affected,fedo
|ra-all/tika=affected,rhscl- |ra-all/tika=affected,rhscl-
|3/rh-eclipse46-tika=notaffe |3/rh-eclipse46-tika=notaffe
|cted,fis-2/tika-core=notaff |cted,fis-2/tika-core=notaff
|ected,fuse-7/camel-tika=not |ected,fuse-7/camel-tika=not
|affected,fsw-6/tika-core=no |affected,fsw-6/tika-core=no
|taffected,brms-5/tika-core= |taffected,brms-5/tika-core=
|wontfix,brms-6/tika-core=wo |wontfix,brms-6/tika-core=wo
|ntfix,bpms-6/tika-core=affe |ntfix,bpms-6/tika-core=wont
|cted,jdv-6/tika-core=affect |fix,jdv-6/tika-core=affecte
|ed,rhn_satellite_5/tika=won |d,rhn_satellite_5/tika=wont
|tfix/impact=low |fix/impact=low
--
You are receiving this mail because:
You are on the CC list for the bug.
2106
days inactive
2215
days old
java-sig-commits@lists.fedoraproject.org
16 comments
1 participants
participants (1)
-
bugzilla@redhat.com