CVE-2017-12620

CRITICAL9.8EPSS 1.0%

Improper Restriction of XML External Entity Reference in Apache OpenNLP

發布日:2022/5/17修改日:2023/11/8

描述

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

受影響套件(1)

Maven/org.apache.opennlp:opennlp-tools>= 1.5.0, < 1.8.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(2)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-12620
WEBhttp://opennlp.apache.org/news/cve-2017-12620.html