VYPR
Critical severity9.8NVD Advisory· Published Oct 3, 2017· Updated Jun 17, 2026

CVE-2017-12620

CVE-2017-12620

Description

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.opennlp:opennlp-toolsMaven
>= 1.5.0, < 1.8.21.8.2

Affected products

12
  • Apache/Opennlp10 versions
    cpe:2.3:a:apache:opennlp:1.5.0:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:apache:opennlp:1.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:opennlp:1.8.1:*:*:*:*:*:*:*
  • ghsa-coords
    Range: >= 1.5.0, < 1.8.2
  • Apache Software Foundation/Apache OpenNLPv5
    Range: 1.5.0 to 1.5.3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.