CVE-2020-2139 – org.jenkins-ci.plugins:cobertura

Package

Manager: maven
Name: org.jenkins-ci.plugins:cobertura
Vulnerable Version: >=0 <1.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.05232 pctl0.89583

Details

Arbitrary file write vulnerability in Jenkins Cobertura Plugin An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system. Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

Metadata

Created: 2022-05-24T17:10:27Z
Modified: 2023-01-05T20:25:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m935-chfp-9f63/GHSA-m935-chfp-9f63.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-m935-chfp-9f63
Finding: F014
Auto approve: 1