Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply [JEP-200 deserialization protection](https://github.com/jenkinsci/jep/tree/master/jep/200) to Java objects it deserializes from disk.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Jenkins Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

Affected Packages

Maven io.jenkins.plugins:code-coverage-api

Affected versions: 0 (fixed in 1.4.1)

Related CVEs

CVE-2021-21677

Key Information

GHSA ID

GHSA-58pr-hprx-7hg6

Published

May 24, 2022 7:12 PM

Last Modified

October 27, 2023 4:01 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

io.jenkins.plugins:code-coverage-api

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.