Jenkins Security Advisory 2017-03-07

This advisory announces a vulnerability in the Maven Pipeline Plugin.

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master

SECURITY-441

The Maven Pipeline Plugin 0.5 and older, as well as 2.0-beta-5 and older, allowed users to copy and read arbitrary files accessible from the Jenkins master process in a Pipeline script by specifying that file’s path on the Jenkins master as mavenSettingsFilePath or globalMavenSettingsFilePath.

Severity: 
  • SECURITY-441 is considered high.
Fix: 
  • Users of Maven Pipeline Plugin should update it to version 0.6 or newer, or version 2.0-beta-6 or newer.