CVE-2017-12620: Improper Restriction of XML External Entity Reference

May 17, 2022 (updated July 1, 2022)

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

References

opennlp.apache.org/news/cve-2017-12620.html
github.com/advisories/GHSA-h22x-hm8g-rxpg
nvd.nist.gov/vuln/detail/CVE-2017-12620

Detect and mitigate CVE-2017-12620 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →