CVE-2020-2138 – CVE-2020-2138 is an XML External Entity (XXE) v... (How to Fix)

Q: What is the severity of CVE-2020-2138?

CVE-2020-2138 has a CVSS score of 7.1 (HIGH). CVE-2020-2138 is an XML External Entity (XXE) vulnerability in Jenkins Cobertura Plugin versions 1.15 and earlier. It allows attackers to read arbitrary files from the Jenkins controller file system by exploiting improper XML parser configuration. This affects Jenkins instances using the vulnerable Cobertura Plugin.

📋 TL;DR

CVE-2020-2138 is an XML External Entity (XXE) vulnerability in Jenkins Cobertura Plugin versions 1.15 and earlier. It allows attackers to read arbitrary files from the Jenkins controller file system by exploiting improper XML parser configuration. This affects Jenkins instances using the vulnerable Cobertura Plugin.

💻 Affected Systems

Products:

Jenkins Cobertura Plugin

Versions: 1.15 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances with Cobertura Plugin installed and configured to process Cobertura coverage reports.

📦 What is this software?

Cobertura by Jenkins

View all CVEs affecting Cobertura →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller through arbitrary file read, potentially leading to credential theft, configuration exposure, and lateral movement within the environment.

🟠

Likely Case

Unauthorized reading of sensitive files on the Jenkins controller, including credentials, configuration files, and source code.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, though sensitive data exposure remains possible.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet are directly vulnerable to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to submit malicious Cobertura XML reports to Jenkins, typically requiring some level of access to the Jenkins instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cobertura Plugin 1.16

Vendor Advisory: https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1700

Restart Required: Yes

Instructions:

1. Update Jenkins Cobertura Plugin to version 1.16 or later via Jenkins Plugin Manager. 2. Restart Jenkins service after update. 3. Verify plugin version in Jenkins plugin management interface.

🔧 Temporary Workarounds

Disable Cobertura Plugin

all

Temporarily disable the vulnerable plugin if immediate patching is not possible

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find Cobertura Plugin > Disable

Restrict XML Processing

all

Configure XML parser security features if custom XML processing is used

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, DISALLOW_DOCTYPE_DECL=true

🧯 If You Can't Patch

Implement strict network access controls to limit Jenkins controller exposure
Apply file system permissions to restrict sensitive file access from Jenkins process

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Cobertura Plugin version. If version is 1.15 or earlier and plugin is enabled, the system is vulnerable.

Check Version:

Check via Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab > Cobertura Plugin

Verify Fix Applied:

Verify Cobertura Plugin version is 1.16 or later in Jenkins plugin management interface.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in Jenkins logs
Errors related to XML parsing of Cobertura reports
Failed attempts to parse malformed XML

Network Indicators:

Unusual XML payloads in HTTP POST requests to Jenkins
Requests containing external entity references in XML

SIEM Query:

source="jenkins.log" AND ("XML parsing error" OR "DOCTYPE" OR "ENTITY" OR "file://")

📊 Metadata

CVE ID: CVE-2020-2138

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-611

Published: March 9, 2020

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2020/03/09/1 Mailing List,Third Party Advisory
https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1700 Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/03/09/1 Mailing List,Third Party Advisory
https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1700 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-2138, you might also want to check these: