CVE-2020-2139 — Arbitrary file write vulnerability in Jenkins Cobertura Plugin

Description

An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system. Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

How to fix CVE-2020-2139

To remediate CVE-2020-2139, upgrade the affected package to a fixed version below.

—upgrade to 1.16 or later

Is CVE-2020-2139 being exploited?

Moderate — EPSS is 5.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2139
PATCHgithub.com/jenkinsci/cobertura-plugin
WEBgithub.com/jenkinsci/cobertura-plugin/commit/ea41b3f86a24ab398a588bde6a4eada869bed391
WEBjenkins.io/security/advisory/2020-03-09/#SECURITY-1668