Jenkins Security Advisory 2017-03-09

This advisory announces a vulnerability in the Maven Pipeline Plugin 0.6.

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master

SECURITY-441

Due to an improperly performed plugin release, version 0.6 of the Maven Pipeline Plugin is still affected by the vulnerability originally announced in the 2017-03-07 security advisory:

The Maven Pipeline Plugin allowed users to copy and read arbitrary files accessible from the Jenkins master process in a Pipeline script by specifying that file’s path on the Jenkins master as mavenSettingsFilePath or globalMavenSettingsFilePath.

Severity: 
  • SECURITY-441: high.

Fix: 
  • Users of Maven Pipeline Plugin 0.6 or earlier should update it to version 0.7. Version 2.0-beta-6 has been released correctly.