Fluid Attacks Database

Description

Jenkins Pipeline: Groovy Plugin has Insufficiently Protected Credentials Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds.

This allows attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.

Pipeline: Groovy Plugin 2656.vf7a_e7b_75a_457 does not allow builds containing password parameters to be replayed.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.plugins.workflow:workflow-cps	>=0 <2656.vf7a_e7b_75a_457	2656.vf7a_e7b_75a_457

Aliases

1. CVE-2022-251802. NVD-2022-251803. OSV-2022-251804. GCVE-2022-25180

References

1. https://github.com/jenkinsci/workflow-cps-plugin/commit/886676efdd711e126307ec70a539f2fe613151f92. https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2443

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.