CVE-2020-2139: 
Java vulnerability analysis and mitigation

CVE-2020-2139 is an arbitrary file write vulnerability affecting Jenkins Cobertura Plugin versions 1.15 and earlier, discovered and disclosed on March 9, 2020. The vulnerability impacts the Jenkins master file system through the plugin's coverage report file handling functionality (Jenkins Advisory, NVD).

The vulnerability stems from the Cobertura Plugin's failure to validate file paths from the XML file it parses. The severity is rated as Medium according to the CVSS scoring system, with a CVSS 3.1 base score of 6.5 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows attackers with the ability to control the coverage report content to overwrite any file on the Jenkins master file system, potentially leading to system compromise or data manipulation (Jenkins Advisory).

The vulnerability has been fixed in Cobertura Plugin version 1.16, which implements proper file path sanitization to prevent escape from the base directory. Users are strongly advised to upgrade to this version or later to mitigate the vulnerability (Jenkins Advisory).