CVE-2020-2172

Name of the Vulnerable Software and Affected Versions Jenkins Code Coverage API Plugin versions 1.1.4 and earlier

Description The issue allows a user who can control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins Code Coverage API Plugin versions 1.1.4 and earlier, update to version 1.1.5 or later, which disables external entity resolution for its XML parser. As a temporary workaround, consider restricting access to the "Publish Coverage Report" post-build step to minimize the risk of exploitation.