RCE vulnerability in Jenkins Code Coverage API Plugin

2022-05-2419:12:36

Google

osv.dev

0.004 Low

EPSS

Percentile

73.0%

JSON

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Jenkins Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

CPENameOperatorVersion
io.jenkins.plugins:code-coverage-apieq1.0.0-rc-1
io.jenkins.plugins:code-coverage-apieq1.0.5
io.jenkins.plugins:code-coverage-apieq1.1.3
io.jenkins.plugins:code-coverage-apieq1.0.0
io.jenkins.plugins:code-coverage-apieq1.0.10
io.jenkins.plugins:code-coverage-apieq1.1.1
io.jenkins.plugins:code-coverage-apieq1.2.0
io.jenkins.plugins:code-coverage-apieq1.0.4
io.jenkins.plugins:code-coverage-apieq1.0.1
io.jenkins.plugins:code-coverage-apieq1.3.2

Name	Operator	Version
io.jenkins.plugins:code-coverage-api	eq	1.0.0-rc-1
io.jenkins.plugins:code-coverage-api	eq	1.0.5
io.jenkins.plugins:code-coverage-api	eq	1.1.3
io.jenkins.plugins:code-coverage-api	eq	1.0.0
io.jenkins.plugins:code-coverage-api	eq	1.0.10
io.jenkins.plugins:code-coverage-api	eq	1.1.1
io.jenkins.plugins:code-coverage-api	eq	1.2.0
io.jenkins.plugins:code-coverage-api	eq	1.0.4
io.jenkins.plugins:code-coverage-api	eq	1.0.1
io.jenkins.plugins:code-coverage-api	eq	1.3.2