Description

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

Remediation

References

http://opennlp.apache.org/news/cve-2017-12620.html

Related Vulnerabilities

CVE-2020-22864 Vulnerability in npm package froala-editor

CVE-2018-1002202 Vulnerability in maven package net.lingala.zip4j:zip4j

CVE-2013-5960 Vulnerability in maven package org.owasp.esapi:esapi

CVE-2015-8857 Vulnerability in npm package uglify-js

CVE-2020-7637 Vulnerability in npm package class-transformer

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Vendor Advisory