From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 11 | all | tika | < 1.18-1 | tika_1.18-1_all.deb |
Debian | 10 | all | tika | < 1.18-1 | tika_1.18-1_all.deb |
Debian | 999 | all | tika | < 1.18-1 | tika_1.18-1_all.deb |