GHSA-38XM-XHVJ-Q2QF
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2023-12-28 18:43Jenkins Credentials Binding plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds.
However, since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can result in values other than the one specified being provided to a build. For example, the value p4$$w0rd would result in Jenkins passing on p4$w0rd, as $$ is the escape sequence for a single $.
Credentials Binding plugin does not prevent such a transformed value (e.g. p4$w0rd) from being shown on the build log, allowing users to reconstruct the actual password value from the transformed one.
Credentials Binding plugin will now escape any $ characters in password values so they are correctly passed to the build.
This issue did apply to freestyle and other classic job types, but does not apply to Pipelines.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:credentials-binding"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000057"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-28T18:43:13Z",
"nvd_published_at": "2018-02-09T23:29:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Credentials Binding plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds.\n\nHowever, since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can result in values other than the one specified being provided to a build. For example, the value `p4$$w0rd` would result in Jenkins passing on `p4$w0rd`, as `$$` is the escape sequence for a single `$`.\n\nCredentials Binding plugin does not prevent such a transformed value (e.g. `p4$w0rd`) from being shown on the build log, allowing users to reconstruct the actual password value from the transformed one.\n\nCredentials Binding plugin will now escape any `$` characters in password values so they are correctly passed to the build.\n\nThis issue did apply to freestyle and other classic job types, but does not apply to Pipelines.",
"id": "GHSA-38xm-xhvj-q2qf",
"modified": "2023-12-28T18:43:13Z",
"published": "2022-05-13T01:48:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000057"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/credentials-binding-plugin/commit/0c75238933365aa52b26b7c73fd1f742bfaca9b1"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/credentials-binding-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-02-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.