Jenkins Security Advisory 2017-03-09

This advisory announces a vulnerability in the Maven Pipeline Plugin 0.6.

Description

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master

SECURITY-441

Due to an improperly performed plugin release, version 0.6 of the Maven Pipeline Plugin is still affected by the vulnerability originally announced in the 2017-03-07 security advisory:

The Maven Pipeline Plugin allowed users to copy and read arbitrary files accessible from the Jenkins master process in a Pipeline script by specifying that file’s path on the Jenkins master as mavenSettingsFilePath or globalMavenSettingsFilePath.

Severity

  • SECURITY-441: high.

Affected versions

  • Maven Pipeline Plugin version 0.6 and earlier, and 2.0-beta-5 and earlier. 2.0-beta-6 has been released correctly.

Fix

  • Users of Maven Pipeline Plugin 0.6 or earlier should update it to version 0.7.