Jenkins Security Advisory 2017-03-07
This advisory announces a vulnerability in the Maven Pipeline Plugin.
Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master
The Maven Pipeline Plugin 0.5 and older, as well as 2.0-beta-5 and older, allowed users to copy and read arbitrary files accessible from the Jenkins master process in a Pipeline script by specifying that file’s path on the Jenkins master as mavenSettingsFilePath or globalMavenSettingsFilePath.
- SECURITY-441 is considered high.
- Users of Maven Pipeline Plugin should update it to version 0.6 or newer, or version 2.0-beta-6 or newer.