CVE-2018-11762
Description
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Tika 0.9 to 1.18, failing to specify an extract directory allows an embedded file with an absolute path to overwrite arbitrary files.
Vulnerability
In Apache Tika versions 0.9 through 1.18, a rare edge case exists where the user does not specify an extract directory via the --extract-dir= command-line option, and the input file contains an embedded file with an absolute path (e.g., C:/evil.bat). In this scenario, tika-app would overwrite the file at that absolute path [1][2].
Exploitation
An attacker must craft an input file (e.g., a document) containing an embedded file whose filename is an absolute path (such as C:/evil.bat). The victim must run tika-app without using the --extract-dir flag and extract embedded files. No special authentication or network position is required; the attack relies on the victim processing the malicious file [1][2].
Impact
Successful exploitation allows an attacker to overwrite arbitrary files on the victim's filesystem at the path specified in the embedded file. This can lead to privilege escalation, denial of service, or code execution if the overwritten file is an executable or critical system file [1][2].
Mitigation
The vulnerability is fixed in Apache Tika 1.19 [2]. Users should upgrade to version 1.19 or later. As a workaround, always explicitly specify a safe extract directory using the --extract-dir= option when running tika-app [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tika:tika-coreMaven | >= 0.9, < 1.19 | 1.19 |
Affected products
2- Apache Software Foundation/Apache Tikav5Range: 0.9 to 1.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-w6g3-v46q-5p28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11762ghsaADVISORY
- www.securityfocus.com/bid/105515ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/ab2e1af38975f5fc462ba89b517971ef892ec3d06bee12ea2258895b%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ab2e1af38975f5fc462ba89b517971ef892ec3d06bee12ea2258895b@%3Cdev.tika.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.