42 matches found
CVE-2026-48922
Jenkins Credentials Binding Plugin 720.v3f6decef43ea and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution i...
CVE-2026-48922
CVE-2026-48922 affects Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier. The issue is improper sanitization of file names for file and zip file credentials, enabling a job to write files to arbitrary locations on the node filesystem. This can lead to remote code execution if Jenk...
CVE-2026-48922
Jenkins Credentials Binding Plugin 720.v3f6decef43ea and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution i...
PT-2026-44015
Name of the Vulnerable Software and Affected Versions Jenkins Credentials Binding Plugin versions 720.v3f6decef43ea and earlier Description Insufficient sanitization of file names for file and zip file credentials allows attackers who can provide credentials to a job to write files to arbitrary...
RHCOS 4 : OpenShift Container Platform 4.5.6 (RHSA-2020:3453)
The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3453 advisory. - jenkins-credentials-binding-plugin: information disclosure in build log when build contains no build steps CVE-2020-2181 -...
PT-2026-35914
Name of the Vulnerable Software and Affected Versions Jenkins Credentials Binding Plugin versions prior to 719.v80e905ef14eb Description Insufficient sanitization of file names for file and zip file credentials allows attackers who can provide credentials to a job to write files to arbitrary...
EUVD-2022-0609
Malicious code in bioql PyPI...
EUVD-2025-20864
Malicious code in bioql PyPI...
Logging of Excessive Data
Overview org.jenkins-ci.plugins:credentials-binding is a plugin that allows credentials to be bound to environment variables for use from miscellaneous build steps. Affected versions of this package are vulnerable to Logging of Excessive Data via exception messages written to the build log. An...
GHSA-9768-HPRV-CRJ5 Jenkins Credentials Binding Plugin vulnerability can expose sensitive information in logger messages
Jenkins Credentials Binding Plugin 687.v619cb15e923f and earlier does not properly mask i.e., replace with asterisks credentials present in exception error messages that are written to the build log. Credentials Binding Plugin 687.689.v1af775332fc9 rethrows exceptions that contain credentials,...
Jenkins Credentials Binding Plugin vulnerability can expose sensitive information in logger messages
Jenkins Credentials Binding Plugin 687.v619cb15e923f and earlier does not properly mask i.e., replace with asterisks credentials present in exception error messages that are written to the build log. Credentials Binding Plugin 687.689.v1af775332fc9 rethrows exceptions that contain credentials,...
CVE-2025-53650
Jenkins Credentials Binding Plugin 687.v619cb15e923f and earlier does not properly mask i.e., replace with asterisks credentials present in exception error messages that are written to the build log...
CVE-2025-53650
CVE-2025-53650 affects Jenkins Credentials Binding Plugin (687.v619cb_15e923f and earlier). The root cause is that credentials are not properly masked in exception error messages written to build logs, potentially exposing secrets. Documented CVSS v3.1 base score is 7.3 (HIGH) with network attack...
CVE-2025-53650
Jenkins Credentials Binding Plugin 687.v619cb15e923f and earlier does not properly mask i.e., replace with asterisks credentials present in exception error messages that are written to the build log...
PT-2025-28902 · Jenkins · Jenkins Credentials Binding Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Credentials Binding Plugin versions 687.v619cb 15e923f and earlier Description: The Jenkins Credentials Binding Plugin does not properly mask credentials present in exception error messages written to the build log. This can lead to t...
GHSA-7FF8-QFWX-8GX5 Improper masking of some secrets in Jenkins Credentials Binding Plugin
Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then be expanded to $ again once the secret is...
GHSA-43J2-R4V3-M8JP Secrets are not masked by Jenkins Credentials Binding Plugin in builds without build steps
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask i.e., replace with asterisks secrets in the build log when the build contains no build steps. Jenkins Credentials Binding Plugin 1.23 now masks secrets when the build contains no build steps...
Jenkins Credentials Binding Plugin Stores Passwords in a Recoverable Format
Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line 30 passwordVariable. The attack vector is: Attacker creates and executes a...
GHSA-J7GW-MWFG-VQF4 Jenkins Credentials Binding Plugin Stores Passwords in a Recoverable Format
Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line 30 passwordVariable. The attack vector is: Attacker creates and executes a...
CVE-2022-20616
A missing permissions validation vulnerability was found in the Jenkins Credentials Binding plugin. The form validation method does not perform a permission check which allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a z...