1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1699

[JENKINS:SECURITY-1699] XXE vulnerability in `code-coverage-api`

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

code-coverage-api 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

code-coverage-api 1.1.5 disables external entity resolution for its XML parser.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/code-coverage-api <= 1.1.4
pkg:github/jenkinsci/code-coverage-api-plugin <= 1.1.4
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/code-coverage-api = 1.1.5
pkg:github/jenkinsci/code-coverage-api-plugin = 1.1.5
ID
JENKINS:SECURITY-1699
Severity
high
Published
2020-04-07T00:00:00
(4 years ago)
Modified
2020-04-07T00:00:00
(4 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository code-coverage-api repository https://github.com/jenkinsci/code-coverage-api-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/code-coverage-api org.jenkins-ci.plugins code-coverage-api <= 1.1.4
Fixed pkg:maven/org.jenkins-ci.plugins/code-coverage-api org.jenkins-ci.plugins code-coverage-api = 1.1.5
Affected pkg:github/jenkinsci/code-coverage-api-plugin jenkinsci code-coverage-api-plugin <= 1.1.4
Fixed pkg:github/jenkinsci/code-coverage-api-plugin jenkinsci code-coverage-api-plugin = 1.1.5
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date