CVE-2018-1335
Description
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tika 1.7–1.17 tika-server is vulnerable to command injection via crafted HTTP headers, enabling remote code execution.
Vulnerability
From Apache Tika versions 1.7 to 1.17, the tika-server component can be exploited by sending carefully crafted HTTP headers. The server uses these headers in command-line invocations without proper sanitization, allowing an attacker to inject arbitrary operating system commands. This vulnerability only affects deployments where tika-server is exposed to untrusted clients. The affected versions are 1.7 through 1.17 [2][4].
Exploitation
An attacker must be able to send HTTP requests to the tika-server instance. No authentication is required if the server is exposed to untrusted networks. The attacker crafts specific headers that, when processed by the server, are injected into command-line arguments passed to underlying operating system utilities. The exact sequence involves sending a malicious request with crafted header values that break out of the intended argument and append arbitrary commands [1].
Impact
Successful exploitation allows the attacker to execute arbitrary commands on the server with the privileges of the Tika process. This leads to full remote code execution (RCE), enabling compromise of the host system's confidentiality, integrity, and availability [2][3].
Mitigation
Upgrading to Apache Tika 1.18 or later resolves the vulnerability [2][4]. Red Hat released an advisory (RHSA-2019:3140) for Red Hat JBoss Data Virtualization 6.4.8, which includes the fix [3]. No workarounds are documented for deployments that cannot immediately upgrade; the only secure option is to restrict network access to tika-server until the patch is applied.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tika:tika-coreMaven | >= 1.7, < 1.18 | 1.18 |
Affected products
2- Apache Software Foundation/Apache Tikav5Range: 1.7 to 1.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- www.exploit-db.com/exploits/46540/mitreexploitx_refsource_EXPLOIT-DB
- access.redhat.com/errata/RHSA-2019:3140ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-9r24-gp44-h3pmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1335ghsaADVISORY
- packetstormsecurity.com/files/153864/Apache-Tika-1.17-Header-Command-Injection.htmlghsax_refsource_MISCWEB
- www.securityfocus.com/bid/104001ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3EghsaWEB
- www.exploit-db.com/exploits/46540ghsaWEB
News mentions
0No linked articles in our index yet.