Jenkins Security Advisory 2017-03-07

This advisory announces a vulnerability in the Maven Pipeline Plugin.

Description

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master

SECURITY-441

The Maven Pipeline Plugin allowed users to copy and read arbitrary files accessible from the Jenkins master process in a Pipeline script by specifying that file’s path on the Jenkins master as mavenSettingsFilePath or globalMavenSettingsFilePath.

Severity

  • SECURITY-441: high.

Affected versions

  • Maven Pipeline Plugin up to 0.5 and 2.0-beta-5. All previous versions are affected.

Fix

  • Users of Maven Pipeline Plugin should update it to version 0.6 or newer, or 2.0-beta-6 or newer.

Credit

The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability:

  • Jesse Glick, CloudBees, Inc. for SECURITY-441