4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
7.1 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.7%
Jenkins Credentials Binding plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds.
However, since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can result in values other than the one specified being provided to a build. For example, the value p4$$w0rd
would result in Jenkins passing on p4$w0rd
, as $$
is the escape sequence for a single $
.
Credentials Binding plugin does not prevent such a transformed value (e.g. p4$w0rd
) from being shown on the build log, allowing users to reconstruct the actual password value from the transformed one.
Credentials Binding plugin will now escape any $
characters in password values so they are correctly passed to the build.
This issue did apply to freestyle and other classic job types, but does not apply to Pipelines.
CPE | Name | Operator | Version |
---|---|---|---|
org.jenkins-ci.plugins:credentials-binding | lt | 1.15 |
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
7.1 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.7%