CVE-2017-12620
Improper Restriction of XML External Entity Reference in Apache OpenNLP
9.8
CRITICAL
CVSS 3.1
EPSS 1.0%
Description
When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.
How to fix CVE-2017-12620
To remediate CVE-2017-12620, upgrade the affected package to a fixed version below.
- —upgrade to 1.8.2 or later
Is CVE-2017-12620 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.5.0, < 1.8.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |