CVE-2018-11762

Name of the Vulnerable Software and Affected Versions Apache Tika versions 0.9 through 1.18

Description The issue arises in a rare edge case where a user does not specify an extract directory on the command line and the input file has an embedded file with an absolute path. For example, if the input file contains "C:/evil.bat", tika-app would overwrite that file.

Recommendations For Apache Tika versions 0.9 through 1.18, consider specifying an extract directory on the command line using the --extract-dir option to avoid potential file overwrites. As a temporary workaround, restrict the use of absolute paths in embedded files to minimize the risk of exploitation.