CVE-2017-12620

NameCVE-2017-12620
DescriptionWhen loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache-opennlp (PTS)bullseye1.9.3-1fixed
bookworm2.1.0-1fixed
trixie2.5.3-1fixed
forky, sid2.5.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache-opennlpsource(unstable)(not affected)

Notes

- apache-opennlp <not-affected> (Fixed before initial upload to Debian)
https://opennlp.apache.org/news/cve-2017-12620.html

Search for package or bug name: Reporting problems