CVE-2020-2138: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2020-2138 affects the Jenkins Cobertura Plugin versions 1.15 and earlier. This XML External Entity (XXE) vulnerability was discovered and reported by Federico Pellegrin, with the disclosure date of March 9, 2020. The vulnerability impacts the plugin's XML parsing functionality, specifically in the 'Publish Cobertura Coverage Report' post-build step (Jenkins Advisory, OSS Security).

The vulnerability stems from the Cobertura Plugin's failure to properly configure its XML parser to prevent XML external entity (XXE) attacks. The severity is rated as High according to CVSS scoring system. The vulnerability is identified as CWE-611, which relates to improper restriction of XML external entity references (NVD CNA Status, Jenkins Advisory).

When exploited, this vulnerability allows attackers who can control the input files for the 'Publish Cobertura Coverage Report' post-build step to parse crafted files that use external entities. This can lead to extraction of secrets from the Jenkins controller or enable server-side request forgery attacks (Jenkins Advisory).

The vulnerability has been fixed in Cobertura Plugin version 1.16, which disables external entity resolution for its XML parser. Users are advised to update to this version to mitigate the vulnerability. All versions up to and including 1.15 are considered vulnerable (Jenkins Advisory).