GHSA-7FF8-QFWX-8GX5

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-12-16 22:25
VLAI?
Summary
Improper masking of some secrets in Jenkins Credentials Binding Plugin
Details

Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then be expanded to $ again once the secret is passed to (post) build steps.

Credentials Binding Plugin 1.22 and earlier does not mask the escaped form of the secret (containing $$). This occurs for example in the \"Execute Maven top-level targets\" build step included in Jenkins.\n\nCredentials Binding Plugin 1.23 now masks secrets both in their original form and with escaped $ characters, so they will be masked even if printed before value expansion.

Severity ?
3.1 (Low)
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.22"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:credentials-binding"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-24T00:56:55Z",
    "nvd_published_at": "2020-05-06T13:15:00Z",
    "severity": "LOW"
  },
  "details": "Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for [SECURITY-698](https://www.jenkins.io/security/advisory/2018-02-05/#credentials-binding), `$` characters in secrets are escaped to `$$`. This will then be expanded to $ again once the secret is passed to (post) build steps.\n\nCredentials Binding Plugin 1.22 and earlier does not mask the escaped form of the secret (containing `$$`). This occurs for example in the \\\"Execute Maven top-level targets\\\" build step included in Jenkins.\\n\\nCredentials Binding Plugin 1.23 now masks secrets both in their original form and with escaped `$` characters, so they will be masked even if printed before value expansion.",
  "id": "GHSA-7ff8-qfwx-8gx5",
  "modified": "2022-12-16T22:25:34Z",
  "published": "2022-05-24T17:17:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/credentials-binding-plugin/commit/77681e0d184b0ccafa2a27da3b3bdbba95b4fe8f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/credentials-binding-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/05/06/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper masking of some secrets in Jenkins Credentials Binding Plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.