CVE-2020-6958
Description
An XML External Entity (XXE) vulnerability in YAJSW 12.14's JnlpSupport class, used by NSA Ghidra Server, allows data exfiltration and denial-of-service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XML External Entity (XXE) vulnerability in YAJSW 12.14's JnlpSupport class, used by NSA Ghidra Server, allows data exfiltration and denial-of-service.
Vulnerability
An XML External Entity (XXE) vulnerability exists in the JnlpSupport class of Yet Another Java Service Wrapper (YAJSW) version 12.14, which is included in NSA Ghidra Server up to version 9.0.4 and other products. The parseJnlp function uses DocumentBuilderFactory and DocumentBuilder without disabling external entity processing, allowing an attacker to inject malicious XML entities into a .jnlp configuration file [1][2][3].
Exploitation
To exploit, an attacker provides a specially crafted .jnlp file containing an XXE payload and sets the WRAPPER_CONF variable in the ghidraSvr script to point to that file. When ghidraSvr starts, the vulnerable parser processes the file and executes the embedded XXE. The attacker does not require authentication but needs the ability to modify the configuration file (e.g., via compromised write access or social engineering) [1][2].
Impact
A successful XXE attack can lead to server-side request forgery (SSRF) and file exfiltration, allowing the attacker to read arbitrary files from the server's filesystem (e.g., /tmp/testfile.txt) and exfiltrate the contents to an attacker-controlled HTTP server. The vulnerability can also be used to cause denial-of-service by exhausting server resources [1][2].
Mitigation
As of the available references, no official patch from YAJSW or Ghidra was released for CVE-2020-6958. A suggested workaround is to prevent .jnlp files from being used as values for WRAPPER_CONF until YAJSW applies a fix. Disabling XML external entity processing in the DocumentBuilderFactory (following OWASP guidance) would resolve the issue at the code level [2][3].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Yet Another Java Service Wrapper/Yet Another Java Service Wrapperdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing XML external entity (XXE) protection in JnlpSupport's parseJnlp function allows an attacker-controlled XML file to define and resolve external entities."
Attack vector
An attacker crafts a `.jnlp` XML file containing an XXE payload that references an external entity pointing to an attacker-controlled server [ref_id=1][ref_id=2]. The attacker then modifies the `WRAPPER_CONF` value in the `ghidraSvr` script to point to this malicious `.jnlp` file [ref_id=2]. When the Ghidra server is started via `ghidraSvr`, YAJSW's `JnlpSupport` parses the XML without disabling external entities, causing the server to connect to the attacker's server and exfiltrate data [ref_id=1][ref_id=2]. The attack can also be used for server-side request forgery (SSRF) and denial of service [ref_id=1].
Affected code
The vulnerable code resides in the `parseJnlp` function of the `JnlpSupport` class in YAJSW. This function creates a `DocumentBuilderFactory` and `DocumentBuilder` instance and parses an XML input stream without disabling external entity processing [ref_id=3]. The `DocumentBuilderFactory.newInstance()` is used with only `setValidating(false)` and `setNamespaceAware(false)`, leaving XXE processing enabled by default [ref_id=3].
What the fix does
No patch is shown in the bundle. The advisory recommends applying OWASP guidance for XML External Entity Prevention, which involves disabling DTD processing and external entity expansion on the `DocumentBuilderFactory` instance [ref_id=3]. The reporter also suggests adding a filter to disallow `.jnlp` files as values for `WRAPPER_CONF` as a temporary mitigation [ref_id=2]. The root cause is that `DocumentBuilderFactory.newInstance()` is used without calling methods such as `setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)` or `setExpandEntityReferences(false)` to prevent XXE [ref_id=3].
Preconditions
- inputAttacker must be able to place a malicious .jnlp file on the target system or control a network-accessible location from which the target will retrieve it
- configAttacker must be able to modify the WRAPPER_CONF value in the ghidraSvr script (or the equivalent configuration mechanism)
- configThe Ghidra server must be started using ghidraSvr after the configuration change
Reproduction
Create an XML file with an XXE payload such as: `\n```xml\n...\n```\n` (see full payload in [ref_id=1]). Set the file extension to `.jnlp`. Modify the `WRAPPER_CONF` value in `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/NationalSecurityAgency/ghidra/issues/943mitrex_refsource_MISC
- github.com/purpleracc00n/Exploits-and-PoC/blob/master/XXE%20in%20YAJSW%E2%80%99s%20JnlpSupport%20affects%20Ghidra%20Server.mdmitrex_refsource_MISC
- sourceforge.net/p/yajsw/bugs/166/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.