CVE-2025-67641

Name of the Vulnerable Software and Affected Versions Jenkins Coverage Plugin versions 2.3054.ve1ff7b a a 123b and earlier

Description The Jenkins Coverage Plugin does not properly validate the configured coverage results ID when creating coverage results. Specifically, the validation occurs only during UI configuration, not through the REST API. This allows attackers possessing Item/Configure permission to utilize a javascript: scheme URL as an identifier when configuring a job via the REST API, leading to a stored cross-site scripting (XSS) issue. The vulnerable configuration occurs when setting the identifier through the ''/job//api/json' endpoint using the coverageResultsId parameter.

Recommendations Update Jenkins Coverage Plugin to a version later than 2.3054.ve1ff7b a a 123b . As a temporary workaround, restrict access to the REST API endpoint ''/job//api/json'' for users with Item/Configure permission.