CVE-2021-21677: 
Java vulnerability analysis and mitigation

Jenkins Code Coverage API Plugin 1.4.0 and earlier contains a remote code execution vulnerability (CVE-2021-21677) discovered in August 2021. The vulnerability stems from the plugin's failure to apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk (Jenkins Advisory, OSS Security).

The vulnerability is rated as High severity with a CVSS v3.1 Base Score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The core issue involves improper implementation of deserialization protection, specifically the JEP-200 protection mechanism, when handling Java objects read from disk. This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (NVD).

The vulnerability results in a remote code execution (RCE) capability that can be exploited by attackers who have control over agent processes. This allows potential attackers to execute arbitrary code within the context of the Jenkins server (Jenkins Advisory).

The vulnerability was fixed in Code Coverage API Plugin version 1.4.1, which properly configures Java object deserialization to only deserialize safe types. Users are strongly advised to update to this version or later to address the security issue (Jenkins Advisory).