CVE-2020-2181 – org.jenkins-ci.plugins:credentials-binding

Package

Manager: maven
Name: org.jenkins-ci.plugins:credentials-binding
Vulnerable Version: >=0 <1.23

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.001 pctl0.28284

Details

Secrets are not masked by Jenkins Credentials Binding Plugin in builds without build steps Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. Jenkins Credentials Binding Plugin 1.23 now masks secrets when the build contains no build steps.

Metadata

Created: 2022-05-24T17:17:14Z
Modified: 2023-12-14T09:16:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-43j2-r4v3-m8jp/GHSA-43j2-r4v3-m8jp.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-43j2-r4v3-m8jp
Finding: F035
Auto approve: 1