Critical severity9.8NVD Advisory· Published Oct 3, 2017· Updated May 13, 2026

CVE-2017-12620

Description

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.opennlp:opennlp-toolsMaven	>= 1.5.0, < 1.8.2	1.8.2

Affected products

Apache/Opennlp10 versions
cpe:2.3:a:apache:opennlp:1.5.0:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:apache:opennlp:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:opennlp:1.8.1:*:*:*:*:*:*:*
Apache Software Foundation/Apache OpenNLPv5
Range: 1.5.0 to 1.5.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

opennlp.apache.org/news/cve-2017-12620.htmlnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-h22x-hm8g-rxpgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-12620ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000