An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system. Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

Affected Packages

Maven org.jenkins-ci.plugins:cobertura

Affected versions: 0 (fixed in 1.16)

Related CVEs

CVE-2020-2139

Key Information

GHSA ID

GHSA-m935-chfp-9f63

Published

May 24, 2022 5:10 PM

Last Modified

January 5, 2023 8:25 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:cobertura

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.