Jenkins Security Advisory 2017-03-07

This advisory announces a vulnerability in the Maven Pipeline Plugin.


Maven Pipeline Plugin allows reading arbitrary files from the Jenkins controller


The Maven Pipeline Plugin allowed users to copy and read arbitrary files accessible from the Jenkins controller process in a Pipeline script by specifying that file’s path on the Jenkins controller as mavenSettingsFilePath or globalMavenSettingsFilePath.


  • SECURITY-441: high.

Affected versions

  • Maven Pipeline Plugin up to 0.5 and 2.0-beta-5. All previous versions are affected.


  • Users of Maven Pipeline Plugin should update it to version 0.6 or newer, or 2.0-beta-6 or newer.


The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability:

  • Jesse Glick, CloudBees, Inc. for SECURITY-441