CVE-2020-14940
Description
An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar 1.5.4. It uses misconfigured XML parsers, leading to XXE while loading GP6 (.gpx) and GP7 (.gp) tablature files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- TuxGuitar/TuxGuitardescription
Patches
Vulnerability mechanics
Root cause
"Misconfigured XML parsers that do not disable external entity processing, allowing XXE attacks when parsing GP6/GP7 tablature files."
Attack vector
An attacker crafts a malicious GP7 (`.gp`) or GP6 (`.gpx`) tablature file. Because the GP7 format is a ZIP archive containing an XML file (`Content/score.gpif`), the attacker embeds a DOCTYPE declaration with an external entity pointing to a URL under their control [ref_id=1]. When TuxGuitar opens the file, the misconfigured XML parser resolves the external entity, causing the application to make an outbound HTTP request to the attacker's server (out-of-band XXE) or, via a parameter entity and DTD, exfiltrate the contents of a local file (e.g., `/etc/issue`) as part of the URL [ref_id=1]. The only limitation is that the stolen file must not contain newline characters [ref_id=1].
Affected code
The vulnerable code is in `io/gpx/GPXDocumentReader.java` (TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java). The `getDocument(InputStream stream)` method creates a `DocumentBuilderFactory` via `newInstance()` and calls `newDocumentBuilder().parse(stream)` without disabling external entity processing [ref_id=1]. The advisory also lists several other classes across the application that use similarly misconfigured XML parsers [ref_id=1].
What the fix does
The advisory recommends following the OWASP XML External Entity Prevention Cheat Sheet by disabling DOCTYPE declarations entirely. The proposed fix is to set the feature `http://apache.org/xml/features/disallow-doctype-decl` to `true` on the `DocumentBuilderFactory` instance before parsing [ref_id=1]. This prevents the parser from processing any DOCTYPE declaration, which blocks both the declaration of external entities and the use of parameter entities for data exfiltration. No official patch has been published in the bundle; the fix proposition is the only remediation guidance provided [ref_id=1].
Preconditions
- inputThe victim must open a maliciously crafted GP6 (.gpx) or GP7 (.gp) tablature file in TuxGuitar.
- networkFor out-of-band exfiltration, the attacker must control a network-accessible server to receive the HTTP request or serve a malicious DTD.
Reproduction
The advisory includes two proof-of-concept files (poc1.gp and poc2.gp) and reproduction steps [ref_id=1]. For poc1.gp: run a local HTTP server (`python3 -m http.server`), open the file in TuxGuitar, and observe the incoming HTTP request on the server. For poc2.gp: serve a malicious DTD file (`ev1.dtd`) from the local server, open the file in TuxGuitar, and observe the exfiltrated file content (e.g., `/etc/issue`) in the HTTP request path [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- logicaltrust.net/blog/2020/06/tuxguitar.htmlmitrex_refsource_MISC
- sourceforge.net/p/tuxguitar/bugs/126/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.