A flaw was found in Jenkins weekly up to and including 2.106 and Jenkins LTS up to and including 2.89.3. Jenkins did not take into account case-insensitive file systems when preventing access to plugin resource files that should not be accessible. This allowed users with Overall/Read permission to download plugin resource files in META-INF and WEB-INF directories, such as the plugins' JAR files, which could contain hardcoded secrets.
References:
https://jenkins.io/security/advisory/2018-02-14/