CVE-2017-12620

high-risk
Published 2017-10-03

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

Do I need to act?

~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (10)

Opennlp
Opennlp
Opennlp
Opennlp
Opennlp
Opennlp
Opennlp
Opennlp
Opennlp
Opennlp

Affected Vendors

Apache

References (2)

Exploit http://opennlp.apache.org/news/cve-2017-12620.html
Exploit http://opennlp.apache.org/news/cve-2017-12620.html
51
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 3/34 · Minimal
Exposure 16/34 · Moderate