When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Opennlp
APPApache1.5.01.5.11.5.21.5.31.6.01.7.01.7.11.7.21.8.01.8.1
Related vulnerabilities
XXE w Apache OpenNLP — ujawnienie plików i SSRF przez parsowanie słowników
Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: bef...
OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected...
Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych
Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację