CVE-2018-1000057

MEDIUM

Jenkins Credentials Binding Plugin <1.14 - Info Disclosure

Title source: llm

Description

Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.

References (1)

[Vendor Advisory] https://jenkins.io/security/advisory/2018-02-05/

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (2)

jenkins/credentials_binding < 1.14

org.jenkins-ci.plugins/credentials-binding < 1.15Maven

Timeline

Published Feb 09, 2018

Tracked Since Feb 18, 2026