CVE-2020-6958
CRITICALYet Another Java Service Wrapper 12.14 - XML External Entity Injection in JnlpSupport
Title source: llmDescription
An XXE vulnerability in JnlpSupport in Yet Another Java Service Wrapper (YAJSW) 12.14, as used in NSA Ghidra and other products, allows attackers to exfiltrate data from remote hosts and potentially cause denial-of-service.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://sourceforge.net/p/yajsw/bugs/166/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/NationalSecurityAgency/ghidra/issues/943
Third Party Advisory x_refsource_misc
https://github.com/purpleracc00n/Exploits-and-PoC/blob/master/XXE%20in%20YAJSW%E2%80%99s%20JnlpSupport%20affects%20Ghidra%20Server.md
Scores
CVSS v3
9.1
EPSS
0.0235
EPSS Percentile
81.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-611
Status
published
Products (1)
yet_another_java_service_wrapper_project/yet_another_java_service_wrapper
12.14
Published
Jan 14, 2020
Tracked Since
Feb 18, 2026