CVE-2020-2138

Name of the Vulnerable Software and Affected Versions Jenkins Cobertura Plugin versions 1.15 and earlier

Description The issue allows a user who can control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities. This can lead to extraction of secrets from the Jenkins controller or server-side request forgery due to the XML parser not being configured to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins Cobertura Plugin versions 1.15 and earlier, update to version 1.16 or later, which disables external entity resolution for its XML parser.