CVE-2015-3271

Name of the Vulnerable Software and Affected Versions Apache Tika server (aka tika-server) version 1.9

Description The issue allows remote attackers to read arbitrary files via the HTTP fileUrl header. This is possible when Apache Tika is used as a web service, enabling a 3rd party to pass a fileUrl header to the Apache Tika Server. The header lets a remote client request that the server fetches content from the URL provided, including files from the server's local filesystem. Depending on the file permissions set on the local filesystem, this could be used to return sensitive content from the server machine.

Recommendations For Apache Tika server version 1.9, consider updating to version 1.10 or later to resolve the issue. As a temporary workaround, restrict access to the tika-server URL to prevent un-trusted access. Additionally, consider disabling the fileUrl header functionality until a patch is applied.