CVE-2020-2172: 
Java vulnerability analysis and mitigation

The Jenkins Code Coverage API Plugin version 1.1.4 and earlier contains a critical XML External Entity (XXE) vulnerability identified as CVE-2020-2172. This security flaw was discovered and reported by Federico Pellegrin, and was publicly disclosed on April 7, 2020. The vulnerability affects the Code Coverage API Plugin's XML parsing functionality when processing coverage reports (Jenkins Advisory, OSS Security).

The vulnerability stems from a misconfiguration in the XML parser used by the Code Coverage API Plugin, which fails to prevent XML external entity (XXE) attacks. The issue specifically affects the "Publish Coverage Report" post-build step functionality. The vulnerability has been assigned a severity rating of High according to CVSS scoring metrics (Jenkins Advisory).

When exploited, this vulnerability allows attackers who can control the input files for the "Publish Coverage Report" post-build step to parse crafted files that use external entities. This can lead to the extraction of secrets from the Jenkins controller or enable server-side request forgery attacks (Jenkins Advisory).

The vulnerability has been fixed in Code Coverage API Plugin version 1.1.5, which disables external entity resolution for its XML parser. Users are strongly advised to upgrade to this version or later to address the security issue (Jenkins Advisory).