CVE-2018-1000057 – org.jenkins-ci.plugins:credentials-binding

Package

Manager: maven
Name: org.jenkins-ci.plugins:credentials-binding
Vulnerable Version: >=0 <1.15

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0003 pctl0.07078

Details

Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials Jenkins Credentials Binding plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. However, since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can result in values other than the one specified being provided to a build. For example, the value `p4$$w0rd` would result in Jenkins passing on `p4$w0rd`, as `$$` is the escape sequence for a single `$`. Credentials Binding plugin does not prevent such a transformed value (e.g. `p4$w0rd`) from being shown on the build log, allowing users to reconstruct the actual password value from the transformed one. Credentials Binding plugin will now escape any `$` characters in password values so they are correctly passed to the build. This issue did apply to freestyle and other classic job types, but does not apply to Pipelines.

Metadata

Created: 2022-05-13T01:48:30Z
Modified: 2023-12-28T18:43:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-38xm-xhvj-q2qf/GHSA-38xm-xhvj-q2qf.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-38xm-xhvj-q2qf
Finding: F035
Auto approve: 1