CVE-2017-12620

Summary

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache OpenNLP1.5.0 to 1.5.3affected
Apache Software FoundationApache OpenNLP1.6.0affected
Apache Software FoundationApache OpenNLP1.7.0 to 1.7.2affected
Apache Software FoundationApache OpenNLP1.8.0 to 1.8.1affected

Weaknesses

  • Information Disclosure

ADP Enrichment

CVE Program Container

Additional References

References