This advisory announces a vulnerability in the Maven Pipeline Plugin.
SECURITY-441
The Maven Pipeline Plugin allowed users to copy and read arbitrary files accessible from the Jenkins controller process in a Pipeline script by specifying that file’s path on the Jenkins controller as mavenSettingsFilePath or globalMavenSettingsFilePath.
SECURITY-441: high.
Maven Pipeline Plugin up to 0.5 and 2.0-beta-5. All previous versions are affected.
Users of Maven Pipeline Plugin should update it to version 0.6 or newer, or 2.0-beta-6 or newer.
The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability:
Jesse Glick, CloudBees, Inc. for SECURITY-441