CVE-2018-1000057: Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials
4.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.06877%
CWE
Published
5/13/2022
Updated
12/28/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:credentials-binding | maven | < 1.15 | 1.15 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from how environment variables containing credentials were processed. The original code in SecretBuildWrapper.java
used env.putAll(e.getValues())
which failed to handle '$' characters in credential values. Since Jenkins interprets '$$' as a single '$', credentials containing '$' would be transformed and potentially exposed in logs. The patched commit specifically modifies this method to apply pair.getValue().replace("$", "$$$$")
, demonstrating this was the vulnerable code path. The test case changes confirm the scenario involved '$' handling in credentials.