Vulnerabilites related to jenkins - credentials_binding
Vulnerability from fkie_nvd
Published
2019-07-19 17:15
Modified
2024-11-21 04:18
Severity ?
Summary
Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.
References
▼ | URL | Tags | |
---|---|---|---|
josh@bress.net | http://www.securityfocus.com/bid/109320 | Third Party Advisory, VDB Entry | |
josh@bress.net | https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing | Exploit, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/109320 | Third Party Advisory, VDB Entry | |
af854a3a-2127-422b-91ae-364da2661108 | https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing | Exploit, Third Party Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
jenkins | credentials_binding | 1.17 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:credentials_binding:1.17:*:*:*:*:jenkins:*:*", matchCriteriaId: "4A48CF1E-58E9-49ED-89AF-32D0987D03DD", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.", }, { lang: "es", value: "El plugin Credentials Binding versión 1.17 de Jenkins, está afectado por: CWE-257: Almacenamiento de Contraseñas en un Formato Recuperable. El impacto es: los usuarios autenticados pueden recuperar credenciales. El componente es: archivo config-variables.jelly line # 30 (passwordVariable). El vector de ataque es: El atacante crea y ejecuta un trabajo de Jenkins.", }, ], id: "CVE-2019-1010241", lastModified: "2024-11-21T04:18:05.100", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-07-19T17:15:11.877", references: [ { source: "josh@bress.net", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/109320", }, { source: "josh@bress.net", tags: [ "Exploit", "Third Party Advisory", ], url: "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/109320", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing", }, ], sourceIdentifier: "josh@bress.net", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-257", }, ], source: "josh@bress.net", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-522", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-02-09 23:29
Modified
2024-11-21 03:39
Severity ?
Summary
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.
References
▼ | URL | Tags | |
---|---|---|---|
cve@mitre.org | https://jenkins.io/security/advisory/2018-02-05/ | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://jenkins.io/security/advisory/2018-02-05/ | Vendor Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
jenkins | credentials_binding | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:credentials_binding:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "A9F1807D-740D-42D0-A23D-1FB555211ABA", versionEndIncluding: "1.14", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.", }, { lang: "es", value: "Jenkins Credentials Binding Plugin, en versiones 1.14 y anteriores, oculta las contraseñas que proporciona para construir procesos en sus archivos de registro de builds. Sin embargo, Jenkins transforma los valores de contraseña proporcionados, por ejemplo, reemplazando las referencias de variables de entorno, lo que podría resultar en que los valores sean diferentes pero similares a contraseñas configuradas que se entregan a la build. Estos valores no están sujetos a ocultación y podrían permitir que usuarios autorizados recuperen la contraseña original.", }, ], id: "CVE-2018-1000057", lastModified: "2024-11-21T03:39:32.780", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-02-09T23:29:02.073", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2018-02-05/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2018-02-05/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-522", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-05-06 13:15
Modified
2024-11-21 05:24
Severity ?
Summary
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.
References
▼ | URL | Tags | |
---|---|---|---|
jenkinsci-cert@googlegroups.com | http://www.openwall.com/lists/oss-security/2020/05/06/3 | Mailing List, Third Party Advisory | |
jenkinsci-cert@googlegroups.com | https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835 | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2020/05/06/3 | Mailing List, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835 | Vendor Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
jenkins | credentials_binding | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:credentials_binding:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "EF0577D2-1149-4191-A840-18ED1FCF6DD1", versionEndIncluding: "1.22", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.", }, { lang: "es", value: "Jenkins Credentials Binding Plugin versiones 1.22 y anteriores, no enmascara (es decir, reemplazar con asteriscos) los secretos que contienen un carácter \"$\" en algunas circunstancias.", }, ], id: "CVE-2020-2182", lastModified: "2024-11-21T05:24:53.373", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-05-06T13:15:14.180", references: [ { source: "jenkinsci-cert@googlegroups.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, { source: "jenkinsci-cert@googlegroups.com", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835", }, ], sourceIdentifier: "jenkinsci-cert@googlegroups.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-522", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-01-12 20:15
Modified
2024-11-21 06:43
Severity ?
Summary
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.
References
▼ | URL | Tags | |
---|---|---|---|
jenkinsci-cert@googlegroups.com | http://www.openwall.com/lists/oss-security/2022/01/12/6 | Mailing List, Third Party Advisory | |
jenkinsci-cert@googlegroups.com | https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342 | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/12/6 | Mailing List, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342 | Vendor Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
jenkins | credentials_binding | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:credentials_binding:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "AF1AD54A-8ED1-43D5-A783-3E0CB27CFA79", versionEndIncluding: "1.27", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.", }, { lang: "es", value: "El plugin Jenkins Credentials Binding versiones 1.27 y anteriores, no lleva a cabo una comprobación de permisos en un método que implementa la comprobación de formularios, que permite a atacantes con acceso Overall/Read comprobar si un ID de credencial es referido a una credencial de archivo secreto y si es un archivo zip", }, ], id: "CVE-2022-20616", lastModified: "2024-11-21T06:43:10.047", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-01-12T20:15:08.857", references: [ { source: "jenkinsci-cert@googlegroups.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/01/12/6", }, { source: "jenkinsci-cert@googlegroups.com", tags: [ "Vendor Advisory", ], url: "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/01/12/6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342", }, ], sourceIdentifier: "jenkinsci-cert@googlegroups.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-05-06 13:15
Modified
2024-11-21 05:24
Severity ?
Summary
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.
References
▼ | URL | Tags | |
---|---|---|---|
jenkinsci-cert@googlegroups.com | http://www.openwall.com/lists/oss-security/2020/05/06/3 | Mailing List, Third Party Advisory | |
jenkinsci-cert@googlegroups.com | https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374 | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2020/05/06/3 | Mailing List, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374 | Vendor Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
jenkins | credentials_binding | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:credentials_binding:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "EF0577D2-1149-4191-A840-18ED1FCF6DD1", versionEndIncluding: "1.22", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.", }, { lang: "es", value: "Jenkins Credentials Binding Plugin versiones 1.22 y anteriores, no enmascara (es decir, reemplazar con asteriscos) los secretos en el registro de compilación cuando la compilación contiene pasos sin compilar.", }, ], id: "CVE-2020-2181", lastModified: "2024-11-21T05:24:53.207", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-05-06T13:15:14.103", references: [ { source: "jenkinsci-cert@googlegroups.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, { source: "jenkinsci-cert@googlegroups.com", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374", }, ], sourceIdentifier: "jenkinsci-cert@googlegroups.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-522", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2018-1000057
Vulnerability from cvelistv5
Published
2018-02-09 23:00
Modified
2024-08-05 12:33
Severity ?
EPSS score ?
Summary
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.
References
▼ | URL | Tags |
---|---|---|
https://jenkins.io/security/advisory/2018-02-05/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T12:33:48.676Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jenkins.io/security/advisory/2018-02-05/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], dateAssigned: "2018-02-05T00:00:00", datePublic: "2018-02-05T00:00:00", descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-09T22:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://jenkins.io/security/advisory/2018-02-05/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", DATE_ASSIGNED: "2/5/2018 0:00:00", ID: "CVE-2018-1000057", REQUESTER: "ml@beckweb.net", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://jenkins.io/security/advisory/2018-02-05/", refsource: "CONFIRM", url: "https://jenkins.io/security/advisory/2018-02-05/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-1000057", datePublished: "2018-02-09T23:00:00", dateReserved: "2018-02-05T00:00:00", dateUpdated: "2024-08-05T12:33:48.676Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-1010241
Vulnerability from cvelistv5
Published
2019-07-19 16:36
Modified
2024-08-05 03:07
Severity ?
EPSS score ?
Summary
Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.
References
▼ | URL | Tags |
---|---|---|
https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing | x_refsource_MISC | |
http://www.securityfocus.com/bid/109320 | vdb-entry, x_refsource_BID |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Jenkins Credentials Binding Plugin | Jenkins |
Version: 1.17 |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:07:18.552Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing", }, { name: "109320", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/109320", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Jenkins", vendor: "Jenkins Credentials Binding Plugin", versions: [ { status: "affected", version: "1.17", }, ], }, ], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-257", description: "CWE-257: Storing Passwords in a Recoverable Format", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2019-07-26T07:06:04", orgId: "7556d962-6fb7-411e-85fa-6cd62f095ba8", shortName: "dwf", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing", }, { name: "109320", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/109320", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve-assign@distributedweaknessfiling.org", ID: "CVE-2019-1010241", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Jenkins", version: { version_data: [ { version_value: "1.17", }, ], }, }, ], }, vendor_name: "Jenkins Credentials Binding Plugin", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-257: Storing Passwords in a Recoverable Format", }, ], }, ], }, references: { reference_data: [ { name: "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing", refsource: "MISC", url: "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing", }, { name: "109320", refsource: "BID", url: "http://www.securityfocus.com/bid/109320", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "7556d962-6fb7-411e-85fa-6cd62f095ba8", assignerShortName: "dwf", cveId: "CVE-2019-1010241", datePublished: "2019-07-19T16:36:02", dateReserved: "2019-03-20T00:00:00", dateUpdated: "2024-08-05T03:07:18.552Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-20616
Vulnerability from cvelistv5
Published
2022-01-12 19:05
Modified
2024-08-03 02:17
Severity ?
EPSS score ?
Summary
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.
References
▼ | URL | Tags |
---|---|---|
https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342 | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2022/01/12/6 | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Jenkins project | Jenkins Credentials Binding Plugin |
Version: unspecified < |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T02:17:52.979Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342", }, { name: "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/01/12/6", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Jenkins Credentials Binding Plugin", vendor: "Jenkins project", versions: [ { lessThanOrEqual: "1.27", status: "affected", version: "unspecified", versionType: "custom", }, { status: "unaffected", version: "1.24.1", }, ], }, ], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.", }, ], providerMetadata: { dateUpdated: "2023-10-24T14:19:04.745Z", orgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", shortName: "jenkins", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342", }, { name: "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2022/01/12/6", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "jenkinsci-cert@googlegroups.com", ID: "CVE-2022-20616", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Jenkins Credentials Binding Plugin", version: { version_data: [ { version_affected: "<=", version_value: "1.27", }, { version_affected: "!", version_value: "1.24.1", }, ], }, }, ], }, vendor_name: "Jenkins project", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-862: Missing Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342", refsource: "CONFIRM", url: "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342", }, { name: "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2022/01/12/6", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", assignerShortName: "jenkins", cveId: "CVE-2022-20616", datePublished: "2022-01-12T19:05:51", dateReserved: "2021-10-28T00:00:00", dateUpdated: "2024-08-03T02:17:52.979Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-2182
Vulnerability from cvelistv5
Published
2020-05-06 12:45
Modified
2024-08-04 07:01
Severity ?
EPSS score ?
Summary
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.
References
▼ | URL | Tags |
---|---|---|
https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835 | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2020/05/06/3 | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Jenkins project | Jenkins Credentials Binding Plugin |
Version: unspecified < |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T07:01:40.977Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835", }, { name: "[oss-security] 20200506 Multiple vulnerabilities in Jenkins plugins", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Jenkins Credentials Binding Plugin", vendor: "Jenkins project", versions: [ { lessThanOrEqual: "1.22", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.", }, ], providerMetadata: { dateUpdated: "2023-10-24T16:06:31.051Z", orgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", shortName: "jenkins", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835", }, { name: "[oss-security] 20200506 Multiple vulnerabilities in Jenkins plugins", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "jenkinsci-cert@googlegroups.com", ID: "CVE-2020-2182", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Jenkins Credentials Binding Plugin", version: { version_data: [ { version_affected: "<=", version_value: "1.22", }, ], }, }, ], }, vendor_name: "Jenkins project", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-522: Insufficiently Protected Credentials", }, ], }, ], }, references: { reference_data: [ { name: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835", refsource: "CONFIRM", url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835", }, { name: "[oss-security] 20200506 Multiple vulnerabilities in Jenkins plugins", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", assignerShortName: "jenkins", cveId: "CVE-2020-2182", datePublished: "2020-05-06T12:45:23", dateReserved: "2019-12-05T00:00:00", dateUpdated: "2024-08-04T07:01:40.977Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-2181
Vulnerability from cvelistv5
Published
2020-05-06 12:45
Modified
2024-08-04 07:01
Severity ?
EPSS score ?
Summary
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.
References
▼ | URL | Tags |
---|---|---|
https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374 | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2020/05/06/3 | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Jenkins project | Jenkins Credentials Binding Plugin |
Version: unspecified < |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T07:01:40.930Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374", }, { name: "[oss-security] 20200506 Multiple vulnerabilities in Jenkins plugins", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Jenkins Credentials Binding Plugin", vendor: "Jenkins project", versions: [ { lessThanOrEqual: "1.22", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.", }, ], providerMetadata: { dateUpdated: "2023-10-24T16:06:29.881Z", orgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", shortName: "jenkins", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374", }, { name: "[oss-security] 20200506 Multiple vulnerabilities in Jenkins plugins", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "jenkinsci-cert@googlegroups.com", ID: "CVE-2020-2181", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Jenkins Credentials Binding Plugin", version: { version_data: [ { version_affected: "<=", version_value: "1.22", }, ], }, }, ], }, vendor_name: "Jenkins project", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-522: Insufficiently Protected Credentials", }, ], }, ], }, references: { reference_data: [ { name: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374", refsource: "CONFIRM", url: "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374", }, { name: "[oss-security] 20200506 Multiple vulnerabilities in Jenkins plugins", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2020/05/06/3", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", assignerShortName: "jenkins", cveId: "CVE-2020-2181", datePublished: "2020-05-06T12:45:22", dateReserved: "2019-12-05T00:00:00", dateUpdated: "2024-08-04T07:01:40.930Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }