CloudBees Security Advisory 2017-03-08

This advisory announces a vulnerability in the Maven Pipeline Plugin.

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master


The Maven Pipeline Plugin 0.5 and older, as well as 2.0-beta-5 and older, allowed users to copy and read arbitrary files accessible from the Jenkins master process in a Pipeline script by specifying that file's path on the Jenkins master as mavenSettingsFilePath or globalMavenSettingsFilePath.


  • SECURITY-441 is considered high .


  • Users of Maven Pipeline Plugin should update it to version 0.6 or newer, or version 2.0-beta-6 or newer.